Exploit for CVE-2026-48849

Name: Exploit for CVE-2026-48849
Rating: 5 (52 reviews)
2026-06-15 | CVSS 4.4
## https://sploitus.com/exploit?id=E2CF04E5-7B2B-56AE-BB11-79D1448AB6ED
# CVE-2026-48849 - Stored XSS, HTML Injection & CSS Injection in Roundcube Webmail

## Overview

This repository contains a Proof-of-Concept (PoC) for **CVE-2026-48849**, a Stored Cross-Site Scripting (XSS), HTML Injection, and CSS Injection vulnerability in Roundcube Webmail.

The vulnerability allows attacker-controlled HTML, CSS, and JavaScript injected through the email subject field to be stored within draft/session restoration data and automatically executed when the user logs back in and restores the session.

> This repository is provided for educational and security research purposes only.

---

## Vulnerability Details

| Field | Value |
|---------|---------|
| CVE | CVE-2026-48849 |
| Product | Roundcube Webmail |
| Vulnerability Type | Stored XSS / HTML Injection / CSS Injection |
| Affected Versions | 1.6.x before 1.6.16, 1.7.x before 1.7.1 |
| Fixed Versions | 1.6.16, 1.7.1 |

---

## Impact

Successful exploitation may allow:

- Execution of arbitrary JavaScript in an authenticated user context
- HTML content injection
- CSS-based UI manipulation and visual defacement
- Phishing-style overlays within the webmail interface
- DOM manipulation
- Redirection to attacker-controlled websites
- Stored payload persistence until draft/session data is removed

A notable aspect of this vulnerability is that the payload executes automatically during the session restoration process after login, without requiring additional user interaction.

---

## Proof of Concept

A demonstration video showing exploitation in a controlled lab environment is included in this repository.

### PoC Payload

```html
'">alert("XSS")
HTML
Injection

CSS Injection
<!--
```

---

## Reproduction Steps

1. Login to Roundcube Webmail.
2. Click **Compose**.
3. Insert the PoC payload into the **Subject** field.
4. Attach an image or trigger any background request.
5. Capture the request using Burp Suite.
6. Send the request to Repeater.
7. Send the original request and verify a normal response.
8. Modify or remove the `roundcube_sessauth` cookie.
9. Replay the request and verify the session has expired.
10. Refresh the page and log in again.
11. Observe automatic execution of the stored payload in the session restore popup.

---

## Affected Versions

- Roundcube 1.6.15 and earlier
- Roundcube 1.5.9 (verified during testing)
- Officially fixed in:
  - Roundcube 1.6.16
  - Roundcube 1.7.1

---

## Potential Impact

- Stored Cross-Site Scripting (XSS)
- HTML Injection
- CSS Injection
- Authenticated JavaScript execution
- UI redressing and phishing overlays
- Session restoration abuse
- DOM manipulation
- User workflow interference
- Potential redirection to malicious websites

---

## Fix

Upgrade to a patched version:

- Roundcube **1.6.16**
- Roundcube **1.7.1**

The Roundcube development team addressed the issue by improving sanitization and handling of user-controlled content during session and draft restoration.

---

## Video Demonstration

Place your PoC video here:

```text
/poc/CVE-2026-48849.mp4
```

Or upload it directly to the repository and link it below.

---

## References

- Roundcube Security Advisory  
  https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1

- Roundcube 1.6.16 Release  
  https://github.com/roundcube/roundcubemail/releases/tag/1.6.16

- Roundcube 1.7.1 Release  
  https://github.com/roundcube/roundcubemail/releases/tag/1.7.1

- Roundcube Changelog  
  https://github.com/roundcube/roundcubemail/blob/master/CHANGELOG.md

- SentinelOne CVE Entry  
  https://www.sentinelone.com/vulnerability-database/cve-2026-48849/

---

## Disclaimer

This Proof-of-Concept is intended solely for educational, research, and defensive security purposes. Testing should only be performed on systems you own or are authorized to assess.