The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog by incorporating new security flaws impacting a widely-used webmail platform. This move underscores the critical nature of these vulnerabilities and their active exploitation by threat actors.
New Vulnerabilities in Roundcube Webmail
On February 20, 2026, CISA identified two significant security vulnerabilities in Roundcube Webmail, prompting an urgent call for organizations to secure their email systems. These flaws expose webmail interfaces to public internet threats, making them prime targets for malicious cyber actors.
Details of the Security Flaws
The first vulnerability involves improper handling of deserialized data, allowing attackers to manipulate application logic or execute arbitrary code. This issue is tracked under CVE-2025-49113, affecting PHP backend processing and holding a critical severity rating.
The second vulnerability is a Cross-Site Scripting (XSS) flaw, identified as CVE-2025-68461. It pertains to the web interface and input handling, enabling attackers to inject harmful scripts, potentially resulting in session hijacking or data theft. This vulnerability is rated high severity.
Implications for Organizations
CISA’s inclusion of these vulnerabilities in the KEV Catalog signifies a substantial risk to federal operations, necessitating immediate attention from security teams. The Binding Operational Directive (BOD) 22-01 mandates federal agencies to prioritize these vulnerabilities, ensuring their systems are fortified against active threats.
While federal agencies are legally obligated to act, CISA strongly advises private entities, state governments, and critical infrastructure operators to adopt a similar approach. Organizations using Roundcube Webmail should promptly apply available patches to mitigate potential cyberattacks.
As CISA continues to update the KEV Catalog, keeping abreast of new vulnerabilities is crucial for maintaining robust cybersecurity defenses. Following CISA’s directives can help organizations reduce their exposure to these significant risks.
