Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Roundcube Webmail: Bypassing Image Blocking in Emails
CVE-2026-35542
Summary
A security issue in Roundcube Webmail allows hackers to secretly load images from the internet into emails, potentially revealing sensitive information or allowing unauthorized access. This affects versions before 1.5.14 and 1.6.14. Update to the latest version to fix this issue.
Original title
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. T...
Original description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.
nvd CVSS3.1
5.3
Vulnerability type
CWE-669
- https://github.com/roundcube/roundcubemail/commit/e052328e3dc75f13adc2e314eaa409...
- https://github.com/roundcube/roundcubemail/commit/fd0e98178db5c73eaa93d005b56187...
- https://github.com/roundcube/roundcubemail/commit/fde14d01adc9f37893cd82b635883e...
- https://github.com/roundcube/roundcubemail/releases/tag/1.5.14
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.14
- https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5
- https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026