CVE-2026-35542
published 2026-04-03CVE-2026-35542: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of…
PriorityP429medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.40%
32.0th percentile
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | roundcube | < roundcube 1.6.5+dfsg-1+deb12u8 (bookworm) | roundcube 1.6.5+dfsg-1+deb12u8 (bookworm) |
| roundcube | roundcubemail | >= 1.7-beta < 1.7-rc5 | 1.7-rc5 |
| roundcube | webmail | < 1.5.14 | 1.5.14 |
| roundcube | webmail | >= 1.6.0 < 1.6.14 | 1.6.14 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
osv5.3MEDIUM
vendor_debian5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2026-35542: roundcube - An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remot...
vendor_debian·2026·CVSS 5.3
CVE-2026-35542 [MEDIUM] CVE-2026-35542: roundcube - An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remot...
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.
Scope: local
bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u8)
bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u8)
forky: resolved (fixed in 1.6.14+dfsg-1)
sid: resolved (fixed in 1.6.14+dfsg-1)
trixie: resolved (fixed in 1.6.15+dfsg-0+deb13u1)
GHSA
Roundcube: Bypass of remote image blocking via crafted BODY background attribute
ghsa·2026-04-03
CVE-2026-35542 [MEDIUM] CWE-669 Roundcube: Bypass of remote image blocking via crafted BODY background attribute
Roundcube: Bypass of remote image blocking via crafted BODY background attribute
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.
OSV
Roundcube: Bypass of remote image blocking via crafted BODY background attribute
osv·2026-04-03
CVE-2026-35542 [MEDIUM] Roundcube: Bypass of remote image blocking via crafted BODY background attribute
Roundcube: Bypass of remote image blocking via crafted BODY background attribute
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.
OSV
CVE-2026-35542: An issue was discovered in Roundcube Webmail before 1
osv·2026-04-03·CVSS 5.3
CVE-2026-35542 [MEDIUM] CVE-2026-35542: An issue was discovered in Roundcube Webmail before 1
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [epel-all]
bugzilla·2026-04-03·CVSS 3.1
CVE-2026-35538 [LOW] CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [epel-all]
CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-EPEL-2026-82b702d826 (roundcubemail-1.6.15-1.el10_1) has been submitted as an update to Fedora EPEL 10.1.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-82b702d826
---
FEDORA-EPEL-2026-646aebe990 (roundcubemail-1.6.15-1.el10_2) has been submitted as an update to Fedora EPEL 10.2.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-646aebe990
---
FEDORA-EPEL-2026-f7a0d90857 (roundcubemail-1.6.15-1.el10_
Bugzilla
CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [fedora-all]
bugzilla·2026-04-03·CVSS 3.1
CVE-2026-35538 [LOW] CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [fedora-all]
CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-6d293b6889 (roundcubemail-1.7~rc6-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-6d293b6889
---
FEDORA-2026-8ba1a085a9 (roundcubemail-1.6.15-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-8ba1a085a9
---
FEDORA-2026-051825ca18 (roundcubemail-1.6.15-1.fc42) has been submitted as an update to Fedo
Wiz
CVE-2026-35542 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35542 [MEDIUM] CVE-2026-35542 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35542 :
PHP vulnerability analysis and mitigation
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.
Source : NVD
## 5.3
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
roundcube/roundcubemail
roundcube
Sources
NVD
Debian 11, 12, 13, 14 Severity MEDIUM Has Fix Added at: Apr 05, 2026
Echo S
https://github.com/roundcube/roundcubemail/commit/e052328e3dc75f13adc2e314eaa4096ac21084adhttps://github.com/roundcube/roundcubemail/commit/fd0e98178db5c73eaa93d005b561874923f9b0f0https://github.com/roundcube/roundcubemail/commit/fde14d01adc9f37893cd82b635883e516ed453f8https://github.com/roundcube/roundcubemail/releases/tag/1.5.14https://github.com/roundcube/roundcubemail/releases/tag/1.6.14https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
2026-04-03
Published