CISA added two actively exploited Roundcube flaws to its KEV list, including a 9.9-rated RCE weaponized within 48 hours and an SVG-based XSS bug.