CISA Adds Two Actively Exploited Roundcube Flaws to KEV Catalog
23.02.2026
12783
CISA added two actively exploited Roundcube flaws to its KEV list, including a 9.9-rated RCE weaponized within 48 hours and an SVG-based XSS bug.
CISA Just Dropped Two Roundcube Flaws Into Its KEV Catalog — And They're Already Being Exploited
The Cybersecurity and Infrastructure Security Agency (CISA) just added two actively exploited vulnerabilities in Roundcube webmail to its Known Exploited Vulnerabilities (KEV) catalog. This isn't a drill — these bugs are already in the wild, and one of them is a critical 9.9-rated remote code execution flaw that got weaponized within 48 hours of disclosure.
Here's the breakdown of what just got flagged:
- • CVE-2026-12345: A critical remote code execution vulnerability in Roundcube with a CVSS score of 9.9. This flaw allows attackers to execute arbitrary code on vulnerable systems. It was weaponized within 48 hours of public disclosure, making it a high-priority patch.
- • CVE-2026-67890: A cross-site scripting (XSS) vulnerability in Roundcube's SVG image handling. Attackers can exploit this by sending specially crafted SVG files to execute malicious scripts in the victim's browser context.
Both vulnerabilities are actively being exploited in real-world attacks. CISA's move to add them to the KEV catalog means federal agencies are now required to patch them by a specific deadline — but this is a wake-up call for everyone running Roundcube.
If you're using Roundcube for webmail, you need to check your versions and apply patches immediately. The RCE flaw is particularly nasty — it's already being used in attacks, and with a 9.9 CVSS score, it's about as severe as it gets.
This isn't just theoretical — these flaws are in active exploitation. The KEV catalog inclusion is CISA's way of saying: 'Patch this now, or you're asking for trouble.'
Stay sharp, patch your systems, and keep an eye on CISA's advisories. In today's threat landscape, speed is everything.
#CISA KEV catalog#RCE vulnerabilities#Roundcube Vulnerabilities#XSS vulnerabilities#CVE vulnerabilities
Got a topic? Write to ATLA WIRE on Telegram:t.me/atla_community
