A vulnerability was found in Roundcube up to 1.6.16/1.7.1. It has been rated as problematic. The impacted element is an unknown function of the component Attachment-Validation Warning. This manipulation of the argument Type causes cross site scripting.

This vulnerability is registered as CVE-2026-54432. Remote exploitation of the attack is possible. No exploit is available.