CVE-2025-68461

HighCISA KEVActive Exploitation

Published: 18 December 2025

Published

18 December 2025

Modified

23 February 2026

KEV Added

20 February 2026

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

EPSS Score 0.0481 89.6th percentile

Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68461 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Roundcube Webmail. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the XSS vulnerability by applying vendor patches to Roundcube Webmail versions 1.5.12 or 1.6.12.

SI-15 Information Output Filtering good match

prevent

Filters information output to the browser to prevent execution of XSS payloads from malicious SVG animate tags in webmail.

SI-10 Information Input Validation partial match

prevent

Validates inputs such as SVG documents to detect and block the animate tag exploitation leading to XSS.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2025-68461 is an unauthenticated XSS vulnerability in the public-facing Roundcube Webmail application, directly enabling exploitation of public-facing applications via delivery of malicious SVG documents.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.

Deeper analysisAI

CVE-2025-68461 is a Cross-Site Scripting (XSS) vulnerability affecting Roundcube Webmail versions before 1.5.12 and 1.6 before 1.6.12. The issue stems from improper handling of the animate tag within an SVG document, classified under CWE-79. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), highlighting its potential for cross-origin impact with low confidentiality and integrity effects.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation involves delivering a malicious SVG document containing an animate tag, enabling XSS payloads to execute in the context of the victim's browser session within the Roundcube Webmail interface.

Official advisories recommend updating to Roundcube Webmail 1.5.12 or 1.6.12 to mitigate the vulnerability, as outlined in the project's security update announcement and the patching GitHub commit. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities Catalog.

This CVE was published on 2025-12-18, with its inclusion in the CISA catalog indicating real-world exploitation.