## https://sploitus.com/exploit?id=E44FCD1C-FC55-56B1-B210-2B9E7A91CD29
# CVE-2025-68461
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
## How does this detection method work?
Extracts Roundcube version from the "rcversion" JSON field in the response, parses it into major.minor.patch format, then checks if version is How do I run this script?
1. Download and install [Nuclei](https://github.com/projectdiscovery/nuclei).
2. Clone this repostory to your local system.
3. Run the following command:
```sh
nuclei -u -t template.yaml
```
Or if you would like to scan a list of hosts, execute:
```sh
nuclei -l -t template.yaml
```
### Example Output
## References
- https://nvd.nist.gov/vuln/detail/CVE-2025-68461
- https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12
- https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb
- https://radar.offseq.com/threat/cve-2025-68461-cwe-79-improper-neutralization-of-i-1c741b3e
## Disclaimer
Use at your own risk, I will not be responsible for illegal activities you conduct on infrastructure you do not own or have permission to scan.
---
## License
This project is licensed under the MIT License.
## Contact
If you have any questions about this vulnerability detection script please reach out to me via [Signal](https://signal.me/#eu/0Qd68U1ivXNdWCF4hf70UYFo7tB0w-GQqFpYcyV6-yr4exn2SclB6bFeP7wTAxQw).
If you would like to connect, I am mostly active on [Twitter/X](https://x.com/rxerium) and [LinkedIn](https://www.linkedin.com/in/rxerium/).