CVE-2024-42009
CISA KEVPublished June 9, 2025 · Updated April 3, 2026
high
Official Description+
RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
Affected Products
| Vendor | Product |
|---|---|
| Roundcube | Webmail |
Patch Status
Patch by 2025-06-30
Recommended Actions
- Check if your systems use any of the affected products listed above.
- Apply vendor patches immediately if available.
- This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
- Monitor vendor advisories for updates and additional mitigations.
- Review logs for indicators of compromise related to CVE-2024-42009.