CVE-2025-68461
Published: 18 December 2025
Summary
CVE-2025-68461 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Roundcube Webmail. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-68461 is a Cross-Site Scripting (XSS) vulnerability affecting Roundcube Webmail versions before 1.5.12 and 1.6 before 1.6.12. The issue stems from improper handling of the animate tag within an SVG document, classified under CWE-79. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), highlighting its potential for cross-origin impact with low confidentiality and integrity effects.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation involves delivering a malicious SVG document containing an animate tag, enabling XSS payloads to execute in the context of the victim's browser session within the Roundcube Webmail interface.
Official advisories recommend updating to Roundcube Webmail 1.5.12 or 1.6.12 to mitigate the vulnerability, as outlined in the project's security update announcement and the patching GitHub commit. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities Catalog.
This CVE was published on 2025-12-18, with its inclusion in the CISA catalog indicating real-world exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-204035
Vulnerability details
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
- CWE(s)
- KEV Date Added
- 20 February 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-68461 is an unauthenticated XSS vulnerability in the public-facing Roundcube Webmail application, directly enabling exploitation of public-facing applications via delivery of malicious SVG documents.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the XSS vulnerability by applying vendor patches to Roundcube Webmail versions 1.5.12 or 1.6.12.
Filters information output to the browser to prevent execution of XSS payloads from malicious SVG animate tags in webmail.
Validates inputs such as SVG documents to detect and block the animate tag exploitation leading to XSS.