CVE-2026-35540
published 2026-04-03CVE-2026-35540: An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to…
PriorityP433medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
0.31%
22.7th percentile
An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | roundcube | < roundcube 1.6.5+dfsg-1+deb12u8 (bookworm) | roundcube 1.6.5+dfsg-1+deb12u8 (bookworm) |
| roundcube | roundcubemail | >= 1.7-beta < 1.7-rc5 | 1.7-rc5 |
| roundcube | webmail | >= 1.6.0 < 1.6.14 | 1.6.14 |
| roundcube | webmail | >= 1.6.14 < 1.6.16 | 1.6.16 |
| roundcube | webmail | >= 1.7.0 < 1.7.1 | 1.7.1 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
cvelistv5v3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
osv6.5MEDIUM
vendor_debian5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2hww-8583-w9wf: Roundcube Webmail 1
ghsa_unreviewed·2026-05-26·CVSS 6.5
CVE-2026-48843 [MEDIUM] CWE-918 GHSA-2hww-8583-w9wf: Roundcube Webmail 1
Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. The issue stems from an insufficient fix for CVE-2026-35540.
CVEList
CVE-2026-48843: Roundcube Webmail 1
cvelistv5·2026-05-25·CVSS 6.5
CVE-2026-48843 [MEDIUM] CWE-918 CVE-2026-48843: Roundcube Webmail 1
Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. The issue stems from an insufficient fix for CVE-2026-35540.
OSV
Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages
osv·2026-04-03
CVE-2026-35540 [MEDIUM] Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages
Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages
An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.
GHSA
Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages
ghsa·2026-04-03
CVE-2026-35540 [MEDIUM] CWE-669 Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages
Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages
An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.
OSV
CVE-2026-35540: An issue was discovered in Roundcube Webmail 1
osv·2026-04-03·CVSS 6.5
CVE-2026-35540 [MEDIUM] CVE-2026-35540: An issue was discovered in Roundcube Webmail 1
An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.
Debian
CVE-2026-35540: roundcube - An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient C...
vendor_debian·2026·CVSS 5.4
CVE-2026-35540 [MEDIUM] CVE-2026-35540: roundcube - An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient C...
An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.
Scope: local
bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u8)
bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u8)
forky: resolved (fixed in 1.6.14+dfsg-1)
sid: resolved (fixed in 1.6.14+dfsg-1)
trixie: resolved (fixed in 1.6.15+dfsg-0+deb13u1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-48843 roundcubemail: information disclosure and Server-Side Request Forgery via insufficient CSS sanitization
bugzilla·2026-05-25·CVSS 6.5
CVE-2026-48843 [MEDIUM] CVE-2026-48843 roundcubemail: information disclosure and Server-Side Request Forgery via insufficient CSS sanitization
CVE-2026-48843 roundcubemail: information disclosure and Server-Side Request Forgery via insufficient CSS sanitization
Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. The issue stems from an insufficient fix for CVE-2026-35540.
Bugzilla
CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [epel-all]
bugzilla·2026-04-03·CVSS 3.1
CVE-2026-35538 [LOW] CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [epel-all]
CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-EPEL-2026-82b702d826 (roundcubemail-1.6.15-1.el10_1) has been submitted as an update to Fedora EPEL 10.1.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-82b702d826
---
FEDORA-EPEL-2026-646aebe990 (roundcubemail-1.6.15-1.el10_2) has been submitted as an update to Fedora EPEL 10.2.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-646aebe990
---
FEDORA-EPEL-2026-f7a0d90857 (roundcubemail-1.6.15-1.el10_
Bugzilla
CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [fedora-all]
bugzilla·2026-04-03·CVSS 3.1
CVE-2026-35538 [LOW] CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [fedora-all]
CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-6d293b6889 (roundcubemail-1.7~rc6-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-6d293b6889
---
FEDORA-2026-8ba1a085a9 (roundcubemail-1.6.15-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-8ba1a085a9
---
FEDORA-2026-051825ca18 (roundcubemail-1.6.15-1.fc42) has been submitted as an update to Fedo
Wiz
CVE-2026-35540 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35540 [MEDIUM] CVE-2026-35540 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35540 :
PHP vulnerability analysis and mitigation
An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.
Source : NVD
## 5.4
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
roundcube
roundcube/roundcubemail
Sources
NVD
Debian 11, 12, 13, 14 Severity MEDIUM Has Fix Added at: Apr 05, 2026
Echo Severity MEDIUM Has
https://github.com/roundcube/roundcubemail/commit/27ec6cc9cb25e1ef8b4d4ef39ce76d619caa6870https://github.com/roundcube/roundcubemail/commit/579b68eff90650a5c782e153debd66c765648942https://github.com/roundcube/roundcubemail/releases/tag/1.6.14https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
2026-04-03
Published