Vulnerability Database / CVE-2023-5631 CVE-2023-5631: Roundcube Webmail XSS Vulnerability CVE-2023-5631 is a stored XSS vulnerability in Roundcube Webmail that allows attackers to inject malicious JavaScript via crafted SVG documents in HTML emails. This article covers technical details, affected versions, and mitigations. Published : February 11, 2026 CVE-2023-5631 Overview CVE-2023-5631 is a stored Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail that allows remote attackers to execute arbitrary JavaScript code through specially crafted SVG documents embedded in HTML email messages. The vulnerability exists in program/lib/Roundcube/rcube_washtml.php , where improper sanitization of SVG content in data URIs enables attackers to bypass security controls and inject malicious scripts. Critical Impact This vulnerability is actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Attackers can steal session cookies, capture credentials, and perform actions on behalf of authenticated users by simply having victims view a malicious email. Affected Products Roundcube Webmail versions before 1.4.15 Roundcube Webmail versions 1.5.x before 1.5.5 Roundcube Webmail versions 1.6.x before 1.6.4 Debian Linux 10.0, 11.0, and 12.0 Fedora 39 Discovery Timeline October 16, 2023 - Roundcube releases security patches ( 1.6.4 , 1.5.5 and 1.4.15 ) October 18, 2023 - CVE-2023-5631 published to NVD October 30, 2025 - Last updated in NVD database Technical Details for CVE-2023-5631 Vulnerability Analysis The vulnerability resides in Roundcube's HTML sanitizer ( rcube_washtml.php ), which is responsible for filtering potentially dangerous content from incoming HTML emails. When processing embedded images with data URIs containing SVG content, the sanitizer failed to properly handle whitespace characters within the MIME type declaration. This flaw allowed attackers to craft malicious SVG payloads that could bypass the existing sanitization logic. The issue specifically occurs when parsing data URIs in the format data:image/[type],[content] . The original code used the raw $matches[1] value directly to check for SVG content, but whitespace characters embedded in the type string could cause the SVG detection logic to fail while still allowing the browser to interpret the content as SVG. Root Cause The root cause is improper input validation in the data URI parsing logic. The vulnerable code did not strip whitespace from the MIME type portion of data URIs before performing security checks. Since browsers are tolerant of whitespace in data URIs, an attacker could insert spaces or other whitespace characters to evade the stripos($matches[1], 'svg') check while the browser would still render the content as an SVG image, including any embedded JavaScript. Attack Vector An attacker exploits this vulnerability by crafting an HTML email containing a malicious data URI with an SVG image. By inserting whitespace characters (such as newlines or spaces) into the MIME type declaration, the attacker bypasses Roundcube's SVG sanitization. When a victim views the email through the Roundcube webmail interface, the malicious JavaScript embedded in the SVG executes in the context of the victim's authenticated session. This requires network access and user interaction (viewing the email), but the attacker only needs low privileges to send emails to targets. php // Security patch in program/lib/Roundcube/rcube_washtml.php // Source: https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b71886984474dc529dd31d } } else if ($is_image && preg_match('/^data:image\/([^,]+),(.+)$/is', $uri, $matches)) { // RFC2397 + $type = preg_replace('/\s/', '', $matches[1]); + // svg images can be insecure, we'll sanitize them - if (stripos($matches[1], 'svg') !== false) { + if (stripos($type, 'svg') !== false) { $svg = $matches[2]; - if (stripos($matches[1], ';base64') !== false) { - $svg = base64_decode($svg); - $type = $matches[1]; + if (stripos($type, ';base64') !== false) { + $svg = base64_decode($svg); } else { - $type = $matches[1] . ';base64'; + $type .= ';base64'; } $washer = new self($this->config); The patch adds preg_replace('/\s/', '', $matches[1]) to strip all whitespace characters from the MIME type before performing SVG detection, ensuring consistent sanitization regardless of whitespace manipulation. Detection Methods for CVE-2023-5631 Indicators of Compromise Presence of HTML emails containing data URIs with SVG content and unusual whitespace characters in MIME type declarations JavaScript execution errors or unexpected script activity originating from the Roundcube webmail interface Unusual outbound network connections from user browsers during email viewing sessions Web server logs showing access patterns consistent with XSS payload delivery through email content Detection Strategies Monitor web application logs for suspicious data URI patterns, particularly those containing data:i