CVE-2025-68460

Advisory lineage Upstream: 0 Downstream: 3

Downstream

DEBIAN-CVE-2025-68460 OPENSUSE-SU-2026:20323-1 UBUNTU-CVE-2025-68460

Analyzed

Published: 18 Dec 2025, 04:54

Last modified:18 Dec 2025, 18:53

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (nvd)

EPSS Score

0.05% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

18 Dec 2025, 04:54

Published

Vulnerability first disclosed

18 Dec 2025, 18:53

Last Modified

Vulnerability information updated

Description

Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.

CVSS Metrics

v3.1•HIGH•Score: 7.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Trends

Current EPSS score: 0.05%• Percentile: 14%

Techniques & Countermeasures

CWE-116•Improper Encoding or Escaping of Output
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Affected Systems

roundcube•webmail
< 1.5.12 | ≥ 1.6.0, < 1.6.12