+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2026-04-19 (/Thread-HackerOne-Disclosed-Reports-2026-04-19)
HackerOne disclosed reports - 2026-04-19 - hashXploiter - 04-20-2026
Medium
resolved
resolved
Stored XSS in attachment-display exploitable through SameSite
Bug reported by Aikido Security was disclosed at April 19, 2026, 9:14 am | Cross-site Scripting (XSS) - Stored
A stored XSS vulnerability was discovered in the attachment-display feature of Roundcube. By uploading an HTML file and opening it through the display-attachment endpoint, the embedded script could execute under the Roundcube origin. The issue was caused by the lack of a restrictive Content Security Policy in the attachment display flow, unlike the general attachment viewer.