What is CVE-2024-42009?
RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
Timeline
- 2025-06-09Added to the CISA Known Exploited Vulnerabilities (KEV) catalog
- 2025-06-30CISA federal remediation deadline (BOD 22-01)
CISA Known Exploited Vulnerability
RoundCube Webmail Cross-Site Scripting Vulnerability
Affected product
Roundcube Webmail
Remediation Steps
- Identify all Roundcube instances in your environment
- Apply the latest Roundcube security patch
- Review access logs for indicators of exploitation
- Reset credentials for accounts accessed through vulnerable Roundcube instances
- Monitor for lateral movement following potential compromise
References
Referenced in our briefings & reports
- Vulnerability Priority Report – Week 1 of July 2026 (July 6 – 12)
Browse all tracked CVEs in the defend.network CVE database →
🤖 This CVE page is generated by defend.network from NVD, CISA KEV, EPSS, and our verified daily briefings. Severity and exploitation data come from official sources; always verify remediation steps against the official vendor advisory before acting in production.