CVE-2020-12640

Name: CVE-2020-12640
Creator: NVD / NIST
Published: 2020-05-04T15:15:14.357+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 6.73%

Last modified Jun 17, 2026

CVE-2020-12640 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.. EPSS estimates a 6.73% chance of exploitation in the next 30 days.

Description

Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

6.73%

93.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-22

Affected Software

Vendor	Product	Versions	Update
Roundcube	Webmail	>= 1.2.0, < 1.2.10	—
Roundcube	Webmail	>= 1.3.0, < 1.3.11	—
Roundcube	Webmail	>= 1.4.0, < 1.4.4	—
Opensuse	Backports Sle	15.0	Sp1
Opensuse	Leap	15.1	—
Opensuse	Leap	15.2	—

References

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.htmlThird Party Advisory
https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12640-PHP%20Local%20File%20Inclusion-RoundcubeExploit, Third Party Advisory
https://github.com/roundcube/roundcubemail/commit/814eadb699e8576ce3a78f21e95bf69a7c7b3794Patch, Third Party Advisory
https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4Release Notes, Third Party Advisory
https://github.com/roundcube/roundcubemail/releases/tag/1.4.4Release Notes, Third Party Advisory
https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10Release Notes, Vendor Advisory
https://security.gentoo.org/glsa/202007-41Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.htmlThird Party Advisory
https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12640-PHP%20Local%20File%20Inclusion-RoundcubeExploit, Third Party Advisory
https://github.com/roundcube/roundcubemail/commit/814eadb699e8576ce3a78f21e95bf69a7c7b3794Patch, Third Party Advisory
https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4Release Notes, Third Party Advisory
https://github.com/roundcube/roundcubemail/releases/tag/1.4.4Release Notes, Third Party Advisory
https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10Release Notes, Vendor Advisory
https://security.gentoo.org/glsa/202007-41Third Party Advisory

Timeline

Published: May 4, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-12640?

Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.

How severe is CVE-2020-12640?

CVE-2020-12640 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 6.73% probability of exploitation in the next 30 days.

How do I fix CVE-2020-12640?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-12640?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST