Cyber Resilience

CVE-2023-5631

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 18 October 2023

Published
18 October 2023
Modified
30 October 2025
KEV Added
26 October 2023
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.8324 99.3th percentile
Risk Priority 82 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-5631 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Roundcube Webmail. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

Roundcube webmail before version 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 is affected by a stored cross-site scripting flaw tracked as CVE-2023-5631. The issue resides in the HTML sanitization logic of program/lib/Roundcube/rcube_washtml.php, which fails to properly neutralize a crafted SVG document embedded in an HTML email message and thereby permits arbitrary JavaScript execution.

A remote attacker can exploit the vulnerability by sending a victim a malicious HTML email containing the crafted SVG. When the recipient views the message through the Roundcube interface, the injected script runs in the application context with the victim’s privileges, enabling actions such as cookie theft or mailbox manipulation under the CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.

Public advisories and the referenced Roundcube commit direct administrators to upgrade to the fixed releases 1.4.15, 1.5.5, or 1.6.4; distribution trackers such as the Debian bug report and oss-security postings likewise emphasize applying these updates as the primary mitigation.

The associated EPSS score has reached a peak of 0.8520 with a current value of 0.8324, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.

CWE(s)
KEV Date Added
26 October 2023

Related Threats

CVEs Like This One

CVE-2025-68461Same product: Roundcube Webmailboth on KEV
CVE-2025-66376Same product class: email / collaborationboth on KEV
CVE-2026-42897Same product class: email / collaborationboth on KEV
CVE-2025-27915Same product class: email / collaborationboth on KEV
CVE-2026-35545Same product: Roundcube Webmail
CVE-2026-35537Same product: Roundcube Webmail
CVE-2021-31207Same product class: email / collaborationboth on KEV
CVE-2021-27065Same product class: email / collaborationboth on KEV
CVE-2025-68645Same product class: email / collaborationboth on KEV
CVE-2022-41082Same product class: email / collaborationboth on KEV

Affected Assets

roundcube
webmail
≤ 1.4.15 · 1.5.0 — 1.5.5 · 1.6.0 — 1.6.4
debian
debian linux
10.0, 11.0, 12.0
fedoraproject
fedora
39

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted HTML/SVG email content before storage or rendering, blocking the exact bypass in rcube_washtml.php.

prevent

Requires filtering of information output to remove or neutralize malicious scripts, preventing execution of the injected JavaScript when the message is viewed.

prevent

Mandates timely remediation of known flaws such as this stored-XSS sanitization error by applying the vendor patches (1.4.15/1.5.5/1.6.4).

References