{"id":"CVE-2021-26925","details":"Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.","aliases":["BIT-roundcube-2021-26925"],"modified":"2026-05-18T05:52:48.036747280Z","published":"2021-02-09T09:15:13.617Z","database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","extracted_events":[{"last_affected":"32"},{"last_affected":"33"}],"cpes":["cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"],"vendor_product":"fedoraproject:fedora"}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5QPAMYM2DQODSCQIAVNFJR2ETG7WMJOD/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q752JPOHTR6H72FK3EIPJZ5O24Z7RGLM/"},{"type":"ADVISORY","url":"https://roundcube.net/news/2021/02/08/security-update-1.4.11"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/commit/9dc276d5f26042db02754fa1bac6fbd683c6d596"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/roundcube/roundcubemail","events":[{"introduced":"0"},{"fixed":"34c42f06e1a8b25c022f49ab59f5f26c21c9ec42"},{"fixed":"9dc276d5f26042db02754fa1bac6fbd683c6d596"}],"database_specific":{"source":["CPE_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"1.4.11"}],"cpe":"cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*"}}],"versions":["1.4.10","1.4.9","1.4.8","1.4.7","1.4.6","1.4.5","1.4.4","1.4.3","1.4.2","1.4.1","1.4.0","1.4-rc2","1.4-rc1","1.4-beta","1.3-beta","1.2-rc","1.2-beta","1.1.0","1.1-rc","1.1-beta","v0.1-beta2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-26925.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}