{"id":"CVE-2026-26079","details":"Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.","modified":"2026-04-16T04:33:01.859281225Z","published":"2026-02-11T05:16:28.650Z","related":["openSUSE-SU-2026:20323-1"],"references":[{"type":"WEB","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.5.13"},{"type":"WEB","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.6.13"},{"type":"WEB","url":"https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/commit/5a3315cce587e0be58335d11ff9a5571c90494a5"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/commit/bf89cbaa5897d8ad62e8057d9a3f6babb90b7954"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/commit/c15f5dbf093a497e19a749b20e7f8fb5a9c24cde"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/commit/53d75d5dfebef235a344d476b900c20c12d52b01"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/roundcube/roundcubemail","events":[{"introduced":"0"},{"fixed":"c15f5dbf093a497e19a749b20e7f8fb5a9c24cde"},{"introduced":"993b888afe29c383bf45c84f17090f4db96367ba"},{"fixed":"53d75d5dfebef235a344d476b900c20c12d52b01"},{"fixed":"1f4c3a5af5033747f9685a8a395dbd8228d19816"},{"fixed":"2b5625f1d2ef7e050fd1ae481b2a52dc35466447"},{"fixed":"5a3315cce587e0be58335d11ff9a5571c90494a5"},{"fixed":"bf89cbaa5897d8ad62e8057d9a3f6babb90b7954"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.5.13"},{"introduced":"1.6"},{"fixed":"1.6.13"}]}}],"versions":["1.1-beta","1.1-rc","1.1.0","1.2-beta","1.2-rc","1.3-beta","1.4-beta","1.4-rc1","1.4-rc2","1.5-beta","1.5-rc","1.5.0","1.5.1","1.5.10","1.5.11","1.5.12","1.5.2","1.5.3","1.5.4","1.5.5","1.5.6","1.5.7","1.5.8","1.5.9","1.6.0","1.6.1","1.6.10","1.6.11","1.6.12","1.6.2","1.6.3","1.6.4","1.6.5","1.6.6","1.6.7","1.6.8","1.6.9","v0.1-beta2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26079.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N"}]}