Roundcube webmail carries two CVEs consistent with XSS weaknesses (CWE-79) in this period’s cluster. XSS vulnerabilities in webmail clients are particularly dangerous as they can be used to steal session tokens, exfiltrate email content, or pivot to further attacks without user awareness. Organizations running Roundcube should apply patches and review web server access logs for exploitation indicators.