CVE-2026-48843

Published: May 25, 2026Modified: May 26, 2026Deferred

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Exploitability: 3.9 / Impact: 2.7

Source: MITRE (Secondary)

Description

Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. The issue stems from an insufficient fix for CVE-2026-35540.

Related CWEs

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (5)

https://github.com/roundcube/roundcubemail/commit/ab96c88bfd888866ec5e02190b19618db283923a

Source: cve@mitre.org

https://github.com/roundcube/roundcubemail/commit/cb3fc9041e91640ba9ba49ee7b2147c176ebf5a1

Source: cve@mitre.org

https://github.com/roundcube/roundcubemail/releases/tag/1.6.16

Source: cve@mitre.org

https://github.com/roundcube/roundcubemail/releases/tag/1.7.1

Source: cve@mitre.org

https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1

Source: cve@mitre.org

Timeline

No history available yet.