Cyber Resilience

CVE-2025-68461

HighCISA KEVActive ExploitationEUVD Exploited

Published: 18 December 2025

Published
18 December 2025
Modified
23 February 2026
KEV Added
20 February 2026
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.1977 97.1th percentile
Risk Priority 46 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68461 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Roundcube Webmail. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-68461 is a Cross-Site Scripting (XSS) vulnerability affecting Roundcube Webmail versions before 1.5.12 and 1.6 before 1.6.12. The issue stems from improper handling of the animate tag within an SVG document, classified under CWE-79. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), highlighting its potential for cross-origin impact with low confidentiality and integrity effects.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation involves delivering a malicious SVG document containing an animate tag, enabling XSS payloads to execute in the context of the victim's browser session within the Roundcube Webmail interface.

Official advisories recommend updating to Roundcube Webmail 1.5.12 or 1.6.12 to mitigate the vulnerability, as outlined in the project's security update announcement and the patching GitHub commit. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities Catalog.

This CVE was published on 2025-12-18, with its inclusion in the CISA catalog indicating real-world exploitation.

EU & UK References

Vulnerability details

Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.

CWE(s)
KEV Date Added
20 February 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2025-68461 is an unauthenticated XSS vulnerability in the public-facing Roundcube Webmail application, directly enabling exploitation of public-facing applications via delivery of malicious SVG documents.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35537Same product: Roundcube Webmail
CVE-2026-35545Same product: Roundcube Webmail
CVE-2023-5631Same product: Roundcube Webmailboth on KEV
CVE-2025-66376Same product class: email / collaborationboth on KEV
CVE-2026-42897Same product class: email / collaborationboth on KEV
CVE-2025-27915Same product class: email / collaborationboth on KEV
CVE-2025-68645Same product class: email / collaborationboth on KEV
CVE-2025-25064Same product class: email / collaboration
CVE-2021-34473Same product class: email / collaborationboth on KEV
CVE-2021-31207Same product class: email / collaborationboth on KEV

Affected Assets

roundcube
webmail
≤ 1.5.12 · 1.6.0 — 1.6.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the XSS vulnerability by applying vendor patches to Roundcube Webmail versions 1.5.12 or 1.6.12.

prevent

Filters information output to the browser to prevent execution of XSS payloads from malicious SVG animate tags in webmail.

prevent

Validates inputs such as SVG documents to detect and block the animate tag exploitation leading to XSS.

References