Known Exploited Vulnerabilities (KEV)

CISA Catalog

Known Exploited Vulnerabilities

· Live CISA DataCISA KEV catalog — vulnerabilities with active exploitation requiring federal remediation

Data sourced from the official CISA Known Exploited Vulnerabilities Catalog. Federal agencies are required to remediate these vulnerabilities by the due date per BOD 22-01.

KEV Entries

1,619

Ransomware Use

327

Overdue

1,615

Vendors

266

Products

655

11 results · Page 1/1

CVE-2025-49113Overdue

Due: 2026-03-13
Added: 2026-02-20

RoundCube Webmail Deserialization of Untrusted Data Vulnerability

Roundcube · Webmail

RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php.

Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CVE-2025-68461Overdue

Due: 2026-03-13
Added: 2026-02-20

RoundCube Webmail Cross-site Scripting Vulnerability

Roundcube · Webmail

RoundCube Webmail contains a cross-site scripting vulnerability via the animate tag in an SVG document.

Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CVE-2024-42009Overdue

Due: 2025-06-30
Added: 2025-06-09

RoundCube Webmail Cross-Site Scripting Vulnerability

Roundcube · Webmail

RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.

Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CVE-2024-37383Overdue

Due: 2024-11-14
Added: 2024-10-24

RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability

Roundcube · Webmail

RoundCube Webmail contains a cross-site scripting (XSS) vulnerability in the handling of SVG animate attributes that allows a remote attacker to run malicious JavaScript code.

Required Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CVE-2020-13965Overdue

Due: 2024-07-17
Added: 2024-06-26

Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability

Roundcube · Webmail

Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to manipulate data via a malicious XML attachment.

Required Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CVE-2023-43770Overdue

Due: 2024-03-04
Added: 2024-02-12

Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability

Roundcube · Webmail

Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages.

Required Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CVE-2023-5631Overdue

Due: 2023-11-16
Added: 2023-10-26

Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability

Roundcube · Webmail

Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that allows a remote attacker to run malicious JavaScript code.

Required Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CVE-2020-35730Overdue

Due: 2023-07-13
Added: 2023-06-22

Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability

Roundcube · Roundcube Webmail

Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows an attacker to send a plain text e-mail message with Javascript in a link reference element that is mishandled by linkref_addinindex in rcube_string_replacer.php.

Required Action

Apply updates per vendor instructions.

CVE-2020-12641Overdue

Due: 2023-07-13
Added: 2023-06-22

Roundcube Webmail Remote Code Execution Vulnerability

Roundcube · Roundcube Webmail

Roundcube Webmail contains an remote code execution vulnerability that allows attackers to execute code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.

Required Action

Apply updates per vendor instructions.