{"id":"UBUNTU-CVE-2026-26079","details":"Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.","modified":"2026-05-20T16:12:04.183326063Z","published":"2026-02-11T05:16:00Z","related":["USN-8223-1"],"upstream":["CVE-2026-26079"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-26079"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2026-26079"},{"type":"REPORT","url":"https://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816"},{"type":"REPORT","url":"https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447"},{"type":"REPORT","url":"https://github.com/roundcube/roundcubemail/commit/53d75d5dfebef235a344d476b900c20c12d52b01"},{"type":"REPORT","url":"https://github.com/roundcube/roundcubemail/commit/5a3315cce587e0be58335d11ff9a5571c90494a5"},{"type":"REPORT","url":"https://github.com/roundcube/roundcubemail/commit/bf89cbaa5897d8ad62e8057d9a3f6babb90b7954"},{"type":"REPORT","url":"https://github.com/roundcube/roundcubemail/commit/c15f5dbf093a497e19a749b20e7f8fb5a9c24cde"},{"type":"REPORT","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.5.13"},{"type":"REPORT","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.6.13"},{"type":"REPORT","url":"https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8223-1"}],"affected":[{"package":{"name":"roundcube","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/roundcube?arch=source&distro=esm-apps%2Fxenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.2~beta+dfsg.1-0ubuntu1+esm8"}]}],"versions":["1.1.1+dfsg.1-2","1.1.2+dfsg.1-5","1.1.3+dfsg.1-1","1.1.4+dfsg.1-1","1.2~beta+dfsg.1-0ubuntu1","1.2~beta+dfsg.1-0ubuntu1+esm1","1.2~beta+dfsg.1-0ubuntu1+esm2","1.2~beta+dfsg.1-0ubuntu1+esm3","1.2~beta+dfsg.1-0ubuntu1+esm4","1.2~beta+dfsg.1-0ubuntu1+esm5","1.2~beta+dfsg.1-0ubuntu1+esm6","1.2~beta+dfsg.1-0ubuntu1+esm7"],"ecosystem_specific":{"binaries":[{"binary_name":"roundcube","binary_version":"1.2~beta+dfsg.1-0ubuntu1+esm8"},{"binary_name":"roundcube-core","binary_version":"1.2~beta+dfsg.1-0ubuntu1+esm8"},{"binary_name":"roundcube-mysql","binary_version":"1.2~beta+dfsg.1-0ubuntu1+esm8"},{"binary_name":"roundcube-pgsql","binary_version":"1.2~beta+dfsg.1-0ubuntu1+esm8"},{"binary_name":"roundcube-plugins","binary_version":"1.2~beta+dfsg.1-0ubuntu1+esm8"},{"binary_name":"roundcube-sqlite3","binary_version":"1.2~beta+dfsg.1-0ubuntu1+esm8"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26079.json"}},{"package":{"name":"roundcube","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/roundcube?arch=source&distro=esm-apps%2Fbionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.3.6+dfsg.1-1ubuntu0.1~esm8"}]}],"versions":["1.3.0+dfsg.1-1","1.3.1+dfsg.1-1","1.3.3+dfsg.1-1","1.3.3+dfsg.1-2","1.3.6+dfsg.1-1","1.3.6+dfsg.1-1ubuntu0.1~esm1","1.3.6+dfsg.1-1ubuntu0.1~esm2","1.3.6+dfsg.1-1ubuntu0.1~esm3","1.3.6+dfsg.1-1ubuntu0.1~esm4","1.3.6+dfsg.1-1ubuntu0.1~esm5","1.3.6+dfsg.1-1ubuntu0.1~esm6","1.3.6+dfsg.1-1ubuntu0.1~esm7"],"ecosystem_specific":{"binaries":[{"binary_name":"roundcube","binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm8"},{"binary_name":"roundcube-core","binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm8"},{"binary_name":"roundcube-mysql","binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm8"},{"binary_name":"roundcube-pgsql","binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm8"},{"binary_name":"roundcube-plugins","binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm8"},{"binary_name":"roundcube-sqlite3","binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm8"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26079.json"}},{"package":{"name":"roundcube","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/roundcube?arch=source&distro=esm-apps%2Ffocal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.3+dfsg.1-1ubuntu0.1~esm8"}]}],"versions":["1.3.8+dfsg.1-2","1.3.10+dfsg.1-1","1.4.1+dfsg.1-2","1.4.2+dfsg.1-1","1.4.2+dfsg.1-2","1.4.3+dfsg.1-1","1.4.3+dfsg.1-1ubuntu0.1~esm1","1.4.3+dfsg.1-1ubuntu0.1~esm2","1.4.3+dfsg.1-1ubuntu0.1~esm3","1.4.3+dfsg.1-1ubuntu0.1~esm4","1.4.3+dfsg.1-1ubuntu0.1~esm5","1.4.3+dfsg.1-1ubuntu0.1~esm6","1.4.3+dfsg.1-1ubuntu0.1~esm7"],"ecosystem_specific":{"binaries":[{"binary_name":"roundcube","binary_version":"1.4.3+dfsg.1-1ubuntu0.1~esm8"},{"binary_name":"roundcube-core","binary_version":"1.4.3+dfsg.1-1ubuntu0.1~esm8"},{"binary_name":"roundcube-mysql","binary_version":"1.4.3+dfsg.1-1ubuntu0.1~esm8"},{"binary_name":"roundcube-pgsql","binary_version":"1.4.3+dfsg.1-1ubuntu0.1~esm8"},{"binary_name":"roundcube-plugins","binary_version":"1.4.3+dfsg.1-1ubuntu0.1~esm8"},{"binary_name":"roundcube-sqlite3","binary_version":"1.4.3+dfsg.1-1ubuntu0.1~esm8"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26079.json"}},{"package":{"name":"roundcube","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/roundcube?arch=source&distro=esm-apps%2Fjammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.5.0+dfsg.1-2ubuntu0.1~esm6"}]}],"versions":["1.4.11+dfsg.1-4","1.5.0+dfsg.1-2","1.5.0+dfsg.1-2ubuntu0.1~esm1","1.5.0+dfsg.1-2ubuntu0.1~esm2","1.5.0+dfsg.1-2ubuntu0.1~esm3","1.5.0+dfsg.1-2ubuntu0.1~esm4","1.5.0+dfsg.1-2ubuntu0.1~esm5"],"ecosystem_specific":{"binaries":[{"binary_name":"roundcube","binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm6"},{"binary_name":"roundcube-core","binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm6"},{"binary_name":"roundcube-mysql","binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm6"},{"binary_name":"roundcube-pgsql","binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm6"},{"binary_name":"roundcube-plugins","binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm6"},{"binary_name":"roundcube-sqlite3","binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm6"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26079.json"}},{"package":{"name":"roundcube","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/roundcube?arch=source&distro=esm-apps%2Fnoble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6.6+dfsg-2ubuntu0.1+esm3"}]}],"versions":["1.6.2+dfsg-1","1.6.4+dfsg-1","1.6.5+dfsg-1","1.6.6+dfsg-1","1.6.6+dfsg-2","1.6.6+dfsg-2ubuntu0.1","1.6.6+dfsg-2ubuntu0.1+esm1","1.6.6+dfsg-2ubuntu0.1+esm2"],"ecosystem_specific":{"binaries":[{"binary_name":"roundcube","binary_version":"1.6.6+dfsg-2ubuntu0.1+esm3"},{"binary_name":"roundcube-core","binary_version":"1.6.6+dfsg-2ubuntu0.1+esm3"},{"binary_name":"roundcube-mysql","binary_version":"1.6.6+dfsg-2ubuntu0.1+esm3"},{"binary_name":"roundcube-pgsql","binary_version":"1.6.6+dfsg-2ubuntu0.1+esm3"},{"binary_name":"roundcube-plugins","binary_version":"1.6.6+dfsg-2ubuntu0.1+esm3"},{"binary_name":"roundcube-sqlite3","binary_version":"1.6.6+dfsg-2ubuntu0.1+esm3"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26079.json"}},{"package":{"name":"roundcube","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/roundcube?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.6.10+dfsg-1","1.6.10+dfsg-2","1.6.11+dfsg-1"],"ecosystem_specific":{"binaries":[{"binary_name":"roundcube","binary_version":"1.6.11+dfsg-1"},{"binary_name":"roundcube-core","binary_version":"1.6.11+dfsg-1"},{"binary_name":"roundcube-mysql","binary_version":"1.6.11+dfsg-1"},{"binary_name":"roundcube-pgsql","binary_version":"1.6.11+dfsg-1"},{"binary_name":"roundcube-plugins","binary_version":"1.6.11+dfsg-1"},{"binary_name":"roundcube-sqlite3","binary_version":"1.6.11+dfsg-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26079.json"}},{"package":{"name":"roundcube","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/roundcube?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.6.11+dfsg-1"],"ecosystem_specific":{"binaries":[{"binary_name":"roundcube","binary_version":"1.6.11+dfsg-1"},{"binary_name":"roundcube-core","binary_version":"1.6.11+dfsg-1"},{"binary_name":"roundcube-mysql","binary_version":"1.6.11+dfsg-1"},{"binary_name":"roundcube-pgsql","binary_version":"1.6.11+dfsg-1"},{"binary_name":"roundcube-plugins","binary_version":"1.6.11+dfsg-1"},{"binary_name":"roundcube-sqlite3","binary_version":"1.6.11+dfsg-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26079.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]}