Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Roundcube Webmail: Malicious Email Messages Can Bypass Security Features
CVE-2026-35544
Summary
Some versions of Roundcube Webmail don't properly filter out malicious code in emails. This could allow an attacker to bypass security features and potentially harm your users. Update to the latest version to fix this issue.
Original title
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass ...
Original description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.
nvd CVSS3.1
5.3
Vulnerability type
CWE-669
- https://github.com/roundcube/roundcubemail/commit/099009b9c8e1d3c636fb9a5af72f7c...
- https://github.com/roundcube/roundcubemail/commit/226811a1c974271dbedca72672923a...
- https://github.com/roundcube/roundcubemail/commit/57dec0c127b98e0c8e3b9c26c80049...
- https://github.com/roundcube/roundcubemail/releases/tag/1.5.14
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.14
- https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5
- https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026