Nixpkgs security tracker

Untriaged

Permalink CVE-2026-48848

7.2 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Changed (C)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

created 1 week ago Activity log

Created suggestion 1 week ago

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has …

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.

References

Affected products

Webmail

<1.6.16
<1.7.1

Matching in nixpkgs

pkgs.ayatana-webmail

Webmail notifications and actions for any desktop

nixos-unstable 24.5.17
- nixpkgs-unstable 24.5.17
- nixos-unstable-small 24.5.17
nixos-25.11 24.5.17
- nixos-25.11-small 24.5.17
- nixpkgs-25.11-darwin 24.5.17

Package maintainers

@doronbehar Doron Behar <me@doronbehar.com>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.ayatana-webmail

Package maintainers