Vulnerability Detail
Enriched intelligence for a single CVE
Critical
CVE-2024-42009
PUBLISHEDA Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a...
1 day faster than CISA KEV
- Vendor
- Roundcube
- Product
- Roundcube Webmail
- Published
- Aug 05, 2024
- EPSS
- 91.4% · 100% pctl
Automate This Intelligence with the Pro API
Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.
Description
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
Weaknesses (CWE)
-
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Exploitation Status
Exploited in the wild
Recorded 2026-06-01 13:30:39 UTC · CISA
Proof of concept available
Recorded 2025-02-11 23:02:42 UTC · GitHub
References
- https://github.com/roundcube/roundcubemail/releases
- https://sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/
- https://github.com/roundcube/roundcubemail/releases/tag/1.5.8
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.8
- https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| CVE First | 2026-06-01 10:32 UTC |
| CISA | 2026-06-02 14:07 UTC |
Scanner Integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-42009.yaml | Jun 01, 2026 |
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2025-02-11 23:02:42 UTC · 2 stars
This script exploits a stored XSS vulnerability (CVE-2024-42009) in Roundcube Webmail version 1.6.7. It injects a malicious payload into the webmail system, which, when triggered, exfiltrates email content from the victim’s inbox.
nuclei · Created Unknown
Timeline
-
KEV confirmed by CISA
-
Detected by Nuclei
-
Added to KEVIntel
-
Proof of Concept Exploit Available
-
CVE Published to Public
-
CVE ID Reserved