theinfosecnews
theinfosecnews
Subscribe to Daily Digest

CVE-2025-68461

CISA KEV

Published February 20, 2026 · Updated April 3, 2026

high

What This Means

# CVE-2025-68461: Roundcube Webmail XSS via SVG animate Tag Roundcube Webmail fails to sanitize the `<animate>` tag in SVG attachments or embedded content, allowing attackers to inject and execute arbitrary JavaScript in victim browsers within the webmail context. An attacker can craft a malicious SVG file and send it to a target user; when the user views the email or attachment, the JavaScript executes with the victim's session privileges, enabling session hijacking, credential theft, or mailbox manipulation. **Immediate actions:** Update Roundcube to the patched version immediately. Review email logs for SVG attachments received in the past 30 days and audit affected user accounts for unauthorized access. Implement Content Security Policy (CSP) headers to restrict inline script execution. Consider blocking SVG uploads at the mail gateway until patching is complete.

Official Description+

RoundCube Webmail contains a cross-site scripting vulnerability via the animate tag in an SVG document.

Affected Products

VendorProduct
RoundcubeWebmail

Patch Status

Patch by 2026-03-13

Recommended Actions

  1. Check if your systems use any of the affected products listed above.
  2. Apply vendor patches immediately if available.
  3. This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
  4. Monitor vendor advisories for updates and additional mitigations.
  5. Review logs for indicators of compromise related to CVE-2025-68461.

Related Coverage

Vvulnerability

CVE-2025-68461: Roundcube Webmail SVG Animate Tag Enables Stored XSS Attack

CVE-2025-68461 is a cross-site scripting vulnerability in Roundcube Webmail caused by inadequate sanitization of the SVG `<animate>` tag. An attacker can deliver a malicious SVG via email to execute arbitrary JavaScript in a victim's authenticated session, enabling session hijacking, credential theft, and unauthorized account actions. CISA requires federal agencies to patch by March 13, 2026; all organizations should upgrade Roundcube immediately and consider blocking SVG rendering as an interim control.

CISA KEV·42d ago·3 min read