{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2025-68460", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2025-12-18T04:54:13.074Z", "datePublished": "2025-12-18T04:54:13.338Z", "dateUpdated": "2025-12-18T18:53:53.491Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Webmail", "vendor": "Roundcube", "versions": [{"lessThan": "1.5.12", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "1.6.12", "status": "affected", "version": "1.6.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-116", "description": "CWE-116 Improper Encoding or Escaping of Output", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-12-18T05:21:51.927Z"}, "references": [{"url": "https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12"}, {"url": "https://github.com/roundcube/roundcubemail/commit/08de250fba731b634bed188bbe18d2f6ef3c7571"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.5.12"}, {"vulnerable": true, "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.6.0", "versionEndExcluding": "1.6.12"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-18T18:27:49.263470Z", "id": "CVE-2025-68460", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-18T18:53:53.491Z"}}]}, "dataVersion": "5.2"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "matchCriteriaId": "72BDB5DF-B892-4EB7-B953-BCF6571CFE33", "versionEndExcluding": "1.5.12", "vulnerable": true}, {"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "matchCriteriaId": "2E7809A5-BC6E-47F6-8175-261C417A1648", "versionEndExcluding": "1.6.12", "versionStartIncluding": "1.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer."}], "id": "CVE-2025-68460", "lastModified": "2026-01-02T16:25:43.823", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-12-18T05:15:52.737", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/roundcube/roundcubemail/commit/08de250fba731b634bed188bbe18d2f6ef3c7571"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "roundcubemail: Roundcube Webmail: Information Disclosure via HTML Style Sanitizer", "id": "2423487", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423487"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-116", "details": ["A flaw was found in Roundcube Webmail. This information disclosure vulnerability resides within the HTML style sanitizer, potentially allowing an attacker to gain unauthorized access to sensitive information. The vulnerability is triggered by improper handling of HTML styles."], "name": "CVE-2025-68460", "public_date": "2025-12-18T04:54:13Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-68460\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-68460\nhttps://github.com/roundcube/roundcubemail/commit/08de250fba731b634bed188bbe18d2f6ef3c7571\nhttps://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12"], "statement": "This vulnerability is rated Low for Red Hat. The information disclosure flaw in Roundcube Webmail's HTML style sanitizer requires user interaction to exploit, limiting its impact in typical Red Hat deployments.", "threat_severity": "Moderate"}

{}