Roundcube, a widely used open-source webmail software, has been found to have critical Cross-Site Scripting (XSS) vulnerabilities in versions 1.6.7 and below, as well as 1.5.7 and below. These vulnerabilities allow attackers to steal emails, contacts, and email passwords, as well as send emails from a victim's account by viewing a malicious email. The vulnerability was discovered by Sonar's Vulnerability Research Team and has been reported to have been used by the APT group Winter Vivern in European government entities. Roundcube administrators are advised to update to patched versions 1.6.8 or 1.5.8 as soon as possible, and users who suspect they are affected should change their email password and clear site data. The vulnerabilities were reported to the maintainers on June 18th, with patches published on August 4th, and this initial blog post was published on August 5th.