Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
Roundcube Webmail 1.6.0 Has Security Flaw in Email Styles
CVE-2026-35540
Summary
If a hacker sends a malicious email to a user, it could potentially allow them to access internal network resources or extract sensitive information. This is because the webmail software doesn't properly check email styles to ensure they can't point to unauthorized locations. Update to Roundcube Webmail 1.6.14 or later to fix this issue.
Original title
An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if...
Original description
An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.
nvd CVSS3.1
5.4
Vulnerability type
CWE-669
- https://github.com/roundcube/roundcubemail/commit/27ec6cc9cb25e1ef8b4d4ef39ce76d...
- https://github.com/roundcube/roundcubemail/commit/579b68eff90650a5c782e153debd66...
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.14
- https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5
- https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026