Description

An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.

INFO

Published Date :

2026-04-03T04:02:06.765Z

Last Modified :

2026-04-03T04:14:03.451Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35545 vulnerability.

Vendors Products
Roundcube
  • Webmail
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35545.

URL Resource
https://github.com/roundcube/roundcubemail/commit/7ad62de184368bf42c0f522d1aacc030f5ddcc46 cve-icon cve-icon
https://github.com/roundcube/roundcubemail/commit/9d18d524f3cc211003fc99e2e54eed09a2f3da88 cve-icon cve-icon
https://github.com/roundcube/roundcubemail/commit/fe1320b199d3a2f58351bb699c9ed4316e73221b cve-icon cve-icon
https://github.com/roundcube/roundcubemail/releases/tag/1.5.15 cve-icon cve-icon
https://github.com/roundcube/roundcubemail/releases/tag/1.6.15 cve-icon cve-icon
https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc6 cve-icon cve-icon
https://roundcube.net/news/2026/03/29/security-updates-1.7-rc6-1.6.15-1.5.15 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact