Active Exploits Target Roundcube, jsPDF, and Calibre Users

CISA Warns of Actively Exploited XSS and IDOR Flaws in Roundcube Webmail

• CISA has issued a warning regarding multiple vulnerabilities, including XSS (CVE-2023-49103) and IDOR (CVE-2023-49104, CVE-2023-49105), in Roundcube Webmail that are being actively exploited.
• The critical XSS vulnerability (CVE-2023-49103) allows attackers to execute arbitrary JavaScript code by exploiting a flaw in the handling of SVG files.
• Organizations using Roundcube versions 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.16 are urged to update immediately to mitigate these critical risks.

Source: Cybersecurity News | Date: February 02, 2026

jsPDF Vulnerabilities Expose Millions to Object Injection and Sandbox Bypass

• Multiple critical vulnerabilities, including object injection (CVE-2023-38870) and sandbox bypass flaws (CVE-2023-37905), have been discovered in the popular client-side PDF generation library jsPDF.
• These flaws, particularly affecting how jsPDF processes content and interacts with DOMPurify, could allow malicious actors to execute arbitrary code or bypass security mechanisms in web applications.
• Developers are advised to update jsPDF to the latest versions and ensure secure configuration practices to protect against potential XSS and other injection attacks.

Source: SecurityOnline.info | Date: February 02, 2026

Zero-Day Flaws in Online PDF Platforms Enable XSS and One-Click Attacks

• Security researchers have uncovered multiple zero-day vulnerabilities in popular online PDF editors and viewers, including products from GroupDocs, PSPDFKit, and GrapeCity Documents for PDF.
• These flaws enable Cross-Site Scripting (XSS) and one-click attacks, allowing threat actors to manipulate content or potentially compromise user sessions by tricking users into opening specially crafted PDF files.
• The vulnerabilities highlight persistent risks in web-based document processing, urging vendors to patch and users to exercise caution with untrusted PDF sources.

Source: Hackread | Date: February 02, 2026

Critical Calibre Path Traversal Flaws Lead to Remote Code Execution

• Critical path traversal vulnerabilities (CVE-2023-46299, CVSS 9.8) have been identified in Calibre, the popular e-book management software, affecting versions up to 6.27.0.
• These flaws allow attackers to achieve remote code execution (RCE) on a user's system simply by having them open a specially crafted e-book file.
• Users are strongly advised to update Calibre to version 6.28.0 or later to patch these severe vulnerabilities and prevent exploitation.

Source: SecurityOnline.info | Date: February 02, 2026

Prompt Injection and Web Skimming Threats Highlighted in Weekly Recap

• Recent security reports highlight the ongoing threat of prompt injection attacks, particularly targeting AI assistants integrated into browsers, exemplified by flaws in Opera Neon's AI.
• "Double-Tap" web skimmers continue to pose a significant risk to e-commerce platforms by injecting malicious JavaScript to steal payment card data from unsuspecting online shoppers.
• These incidents underscore the need for enhanced browser security, AI interaction safeguards, and robust web application defenses against client-side attacks.

Source: The Hacker News | Date: February 02, 2026

References

1. CISA Warns of Multiple Roundcube Vulnerabilities Exploited in Attacks - Cybersecurity News
2. VS meldt actief misbruik van XSS-lek in Roundcube Webmail - Security.nl
3. Sandbox Bypassed: jsPDF Flaw Exposes Millions to Object Injection - SecurityOnline.info
4. jsPDF Vulnerability Exposes Millions of Developers to Object Injection Attacks - Cybersecurity News
5. Multiple Zero-Day Flaws in PDF Platforms Enable XSS and One-Click Attacks - Hackread
6. Poisoned Pages: Critical Calibre Path Traversal Flaws Expose Readers to RCE - SecurityOnline.info
7. ⚡ Weekly Recap: Double-Tap Skimmers, PromptSpy AI, 30Tbps DDoS, Docker Malware & More - The Hacker News