[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2024-42009":6},{"stargazers_count":4,"fetched_at":5},5,"2026-04-28T13:22:40.146Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":44,"aliases":45,"duplicate_of":9,"upstream":46,"downstream":47,"duplicates":64,"related":65,"reserved_at":9,"published_at":69,"modified_at":70,"state":71,"summary":72,"references_raw":82,"kevs":114,"epss":131,"epss_history":133,"metrics":349,"affected":357},"CVE-2024-42009","A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-79","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.","weakness","Stable","Base","High",[20,24,28,32,36,40],{"id":21,"name":22,"techniques":23},"CAPEC-209","XSS Using MIME Type Mismatch",[],{"id":25,"name":26,"techniques":27},"CAPEC-588","DOM-Based XSS",[],{"id":29,"name":30,"techniques":31},"CAPEC-591","Reflected XSS",[],{"id":33,"name":34,"techniques":35},"CAPEC-592","Stored XSS",[],{"id":37,"name":38,"techniques":39},"CAPEC-63","Cross-Site Scripting (XSS)",[],{"id":41,"name":42,"techniques":43},"CAPEC-85","AJAX Footprinting",[],[],[],[],[48,50,52,54,56,58,60,62],{"_key":49},"DEBIAN-CVE-2024-42009",{"_key":51},"UBUNTU-CVE-2024-42009",{"_key":53},"OPENSUSE-SU-2024:0328-1",{"_key":55},"OPENSUSE-SU-2024:14243-1",{"_key":57},"DSA-5743-1",{"_key":59},"DSA-5743-2",{"_key":61},"MGASA-2024-0279",{"_key":63},"USN-7636-1",[],[66,67,68],{"_key":53},{"_key":55},{"_key":61},"2024-08-05T00:00:00.000Z","2025-10-21T22:55:48.964Z","Analyzed",{"cisa_kev":73,"cisa_ransomware":74,"cisa_vendor":75,"epss_severity":76,"epss_score":77,"severity":76,"severity_score":78,"severity_version":79,"severity_source":80,"severity_vector":81,"severity_status":71},true,false,"Roundcube","critical",0.91163,9.3,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",[83,89,95,99,103,108],{"url":84,"sources":85,"tags":87},"https://github.com/roundcube/roundcubemail/releases",[80,86],"nvd",[88],"Release Notes",{"url":90,"sources":91,"tags":92},"https://sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/",[80,86],[93,94],"Technical Description","Third Party Advisory",{"url":96,"sources":97,"tags":98},"https://github.com/roundcube/roundcubemail/releases/tag/1.5.8",[80,86],[88],{"url":100,"sources":101,"tags":102},"https://github.com/roundcube/roundcubemail/releases/tag/1.6.8",[80,86],[88],{"url":104,"sources":105,"tags":106},"https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8",[80,86],[107],"Vendor Advisory",{"url":109,"sources":110,"tags":111},"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-42009",[80,86],[112,113],"Government Resource","US Government Resource",[115,125],{"source":116,"vendor":75,"product":117,"date_added":118,"vulnerability_name":119,"short_description":120,"required_action":121,"due_date":122,"known_ransomware_campaign_use":123,"notes":124,"exploitation_type":9},"cisa","Webmail","2025-06-09","RoundCube Webmail Cross-Site Scripting Vulnerability","RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.","Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.","2025-06-30","Unknown","https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8 ; https://nvd.nist.gov/vuln/detail/CVE-2024-42009",{"source":126,"vendor":127,"product":117,"date_added":128,"vulnerability_name":9,"short_description":8,"required_action":9,"due_date":9,"known_ransomware_campaign_use":9,"notes":129,"exploitation_type":130},"enisa","RoundCube","2026-04-27","https://cert.pl/en/posts/2025/06/unc1151-campaign-roundcube/","APT",{"date":128,"score":77,"percentile":132},0.99653,[134,138,142,146,149,151,153,155,158,160,162,164,166,168,170,174,176,178,182,184,187,189,191,193,196,198,200,202,205,208,210,213,216,218,220,222,224,227,230,232,234,236,238,240,242,245,247,249,251,254,256,258,260,262,265,268,270,272,275,277,279,281,284,286,289,291,293,295,297,299,301,303,305,307,309,312,316,318,320,322,325,328,331,333,335,338,340,342,344,346],{"date":135,"score":136,"percentile":137},"2025-11-04",0.90113,0.99556,{"date":139,"score":140,"percentile":141},"2025-11-05",0.90439,0.99573,{"date":143,"score":144,"percentile":145},"2025-11-06",0.90671,0.9959,{"date":147,"score":144,"percentile":148},"2025-11-07",0.99588,{"date":150,"score":144,"percentile":148},"2025-11-08",{"date":152,"score":144,"percentile":148},"2025-11-09",{"date":154,"score":144,"percentile":148},"2025-11-10",{"date":156,"score":144,"percentile":157},"2025-11-11",0.99587,{"date":159,"score":144,"percentile":148},"2025-11-12",{"date":161,"score":144,"percentile":148},"2025-11-13",{"date":163,"score":144,"percentile":157},"2025-11-14",{"date":165,"score":144,"percentile":148},"2025-11-15",{"date":167,"score":144,"percentile":157},"2025-11-16",{"date":169,"score":144,"percentile":157},"2025-11-17",{"date":171,"score":172,"percentile":173},"2025-11-18",0.91132,0.99721,{"date":175,"score":172,"percentile":173},"2025-11-19",{"date":177,"score":172,"percentile":173},"2025-11-20",{"date":179,"score":180,"percentile":181},"2025-11-21",0.90364,0.99569,{"date":183,"score":180,"percentile":181},"2025-11-22",{"date":185,"score":180,"percentile":186},"2025-11-23",0.9957,{"date":188,"score":180,"percentile":181},"2025-11-24",{"date":190,"score":180,"percentile":181},"2025-11-25",{"date":192,"score":180,"percentile":186},"2025-11-26",{"date":194,"score":144,"percentile":195},"2025-11-27",0.99585,{"date":197,"score":144,"percentile":195},"2025-11-28",{"date":199,"score":180,"percentile":186},"2025-11-29",{"date":201,"score":180,"percentile":186},"2025-11-30",{"date":203,"score":180,"percentile":204},"2025-12-01",0.9958,{"date":206,"score":180,"percentile":207},"2025-12-02",0.99579,{"date":209,"score":180,"percentile":204},"2025-12-03",{"date":211,"score":180,"percentile":212},"2025-12-04",0.99571,{"date":214,"score":180,"percentile":215},"2025-12-05",0.99572,{"date":217,"score":180,"percentile":215},"2025-12-06",{"date":219,"score":180,"percentile":215},"2025-12-07",{"date":221,"score":180,"percentile":141},"2025-12-08",{"date":223,"score":180,"percentile":141},"2025-12-09",{"date":225,"score":180,"percentile":226},"2025-12-10",0.99574,{"date":228,"score":144,"percentile":229},"2025-12-11",0.99589,{"date":231,"score":144,"percentile":229},"2025-12-12",{"date":233,"score":144,"percentile":229},"2025-12-13",{"date":235,"score":144,"percentile":229},"2025-12-14",{"date":237,"score":144,"percentile":148},"2025-12-15",{"date":239,"score":144,"percentile":229},"2025-12-16",{"date":241,"score":144,"percentile":145},"2025-12-17",{"date":243,"score":144,"percentile":244},"2025-12-18",0.99591,{"date":246,"score":144,"percentile":244},"2025-12-19",{"date":248,"score":144,"percentile":244},"2025-12-20",{"date":250,"score":144,"percentile":244},"2025-12-21",{"date":252,"score":144,"percentile":253},"2025-12-22",0.99592,{"date":255,"score":144,"percentile":244},"2025-12-23",{"date":257,"score":144,"percentile":253},"2025-12-24",{"date":259,"score":144,"percentile":253},"2025-12-25",{"date":261,"score":144,"percentile":253},"2025-12-26",{"date":263,"score":144,"percentile":264},"2025-12-27",0.99595,{"date":266,"score":144,"percentile":267},"2025-12-28",0.99593,{"date":269,"score":144,"percentile":267},"2025-12-29",{"date":271,"score":144,"percentile":267},"2025-12-30",{"date":273,"score":140,"percentile":274},"2025-12-31",0.99582,{"date":276,"score":140,"percentile":253},"2026-01-01",{"date":278,"score":140,"percentile":253},"2026-01-02",{"date":280,"score":140,"percentile":253},"2026-01-03",{"date":282,"score":140,"percentile":283},"2026-01-04",0.99584,{"date":285,"score":140,"percentile":283},"2026-01-05",{"date":287,"score":140,"percentile":288},"2026-01-06",0.99583,{"date":290,"score":140,"percentile":288},"2026-01-07",{"date":292,"score":140,"percentile":288},"2026-01-08",{"date":294,"score":140,"percentile":283},"2026-01-09",{"date":296,"score":140,"percentile":283},"2026-01-10",{"date":298,"score":140,"percentile":283},"2026-01-11",{"date":300,"score":140,"percentile":283},"2026-01-12",{"date":302,"score":140,"percentile":283},"2026-01-13",{"date":304,"score":140,"percentile":195},"2026-01-14",{"date":306,"score":140,"percentile":195},"2026-01-15",{"date":308,"score":140,"percentile":195},"2026-01-16",{"date":310,"score":140,"percentile":311},"2026-01-17",0.99586,{"date":313,"score":314,"percentile":315},"2026-01-18",0.91224,0.9963,{"date":317,"score":314,"percentile":315},"2026-01-19",{"date":319,"score":314,"percentile":315},"2026-01-20",{"date":321,"score":314,"percentile":315},"2026-01-21",{"date":323,"score":314,"percentile":324},"2026-01-22",0.99632,{"date":326,"score":314,"percentile":327},"2026-01-23",0.99633,{"date":329,"score":314,"percentile":330},"2026-01-24",0.99634,{"date":332,"score":314,"percentile":330},"2026-01-25",{"date":334,"score":314,"percentile":330},"2026-01-26",{"date":336,"score":314,"percentile":337},"2026-01-27",0.99635,{"date":339,"score":314,"percentile":337},"2026-01-28",{"date":341,"score":314,"percentile":337},"2026-01-29",{"date":343,"score":314,"percentile":330},"2026-01-30",{"date":345,"score":314,"percentile":337},"2026-01-31",{"date":347,"score":314,"percentile":348},"2026-02-01",0.99644,[350,355],{"source":80,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":351,"cvss_v4_0":9},{"baseScore":78,"baseSeverity":352,"vectorString":81,"impactScore":353,"exploitabilityScore":354},"CRITICAL",9.7,7.2,{"source":86,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":356,"cvss_v4_0":9},{"baseScore":78,"baseSeverity":352,"vectorString":81,"impactScore":353,"exploitabilityScore":354},[358],{"ecosystem":9,"name":117,"vendor":9,"product":117,"cpe_part":9,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":359},[360,365],{"version":361,"is_range":73,"range_type":362,"version_start":9,"version_start_type":9,"version_end":363,"version_end_type":364,"fixed_in":9},"lt1.5.8","cpe","1.5.8","excluding",{"version":366,"is_range":73,"range_type":362,"version_start":367,"version_start_type":368,"version_end":369,"version_end_type":364,"fixed_in":9},"gte1.6.0_lt1.6.8","1.6.0","including","1.6.8"]