Description

An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.

INFO

Published Date :

2026-04-03T03:47:51.456Z

Last Modified :

2026-04-03T04:08:31.555Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35540 vulnerability.

Vendors Products
Roundcube
  • Webmail
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35540.

URL Resource
https://github.com/roundcube/roundcubemail/commit/27ec6cc9cb25e1ef8b4d4ef39ce76d619caa6870 cve-icon cve-icon
https://github.com/roundcube/roundcubemail/commit/579b68eff90650a5c782e153debd66c765648942 cve-icon cve-icon
https://github.com/roundcube/roundcubemail/releases/tag/1.6.14 cve-icon cve-icon
https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5 cve-icon cve-icon
https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact