# CVE-2020-35730

> An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.

- **CVSS:** 6.1 (MEDIUM)
- **EPSS:** 64.8%
- **CISA KEV:** yes
- **CWE:** CWE-79

Canonical: https://intel.threadlinqs.com/cve/CVE-2020-35730
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp