Dark C0d3rs

Dark C0d3rs > Exploit Log > Research Papers/Vulnerability reports > HackerOne Disclosed Reports - 2026-04-19
Full Version: HackerOne Disclosed Reports - 2026-04-19
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

hashXploiter

8 hours ago
Logo
Medium
resolved

Stored XSS in attachment-display exploitable through SameSite


Bug reported by Aikido Security was disclosed at April 19, 2026, 9:14 am   |   Cross-site Scripting (XSS) - Stored

A stored XSS vulnerability was discovered in the attachment-display feature of Roundcube. By uploading an HTML file and opening it through the display-attachment endpoint, the embedded script could execute under the Roundcube origin. The issue was caused by the lack of a restrictive Content Security Policy in the attachment display flow, unlike the general attachment viewer.


Dark C0d3rs > Exploit Log > Research Papers/Vulnerability reports > HackerOne Disclosed Reports - 2026-04-19