# CVE-2023-5631

> Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.

- **CVSS:** 6.1 (MEDIUM)
- **EPSS:** 83.4%
- **CISA KEV:** yes
- **CWE:** CWE-79

Canonical: https://intel.threadlinqs.com/cve/CVE-2023-5631
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp