Skip to main content

Suse CVE-2026-35540

| EUVDEUVD-2026-18583 MEDIUM
Incorrect Resource Transfer Between Spheres (CWE-669)
2026-04-03 mitre GHSA-vxg2-hhgr-37fx
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Apr 04, 2026 - 08:30 nvd
Patch available
EUVD ID Assigned
Apr 03, 2026 - 04:30 euvd
EUVD-2026-18583
Analysis Generated
Apr 03, 2026 - 04:30 vuln.today
CVE Published
Apr 03, 2026 - 03:47 nvd
MEDIUM 5.4

DescriptionCVE.org

An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.

AnalysisAI

Roundcube Webmail 1.6.0 through 1.6.13 allows Server-Side Request Forgery (SSRF) and Information Disclosure through insufficient CSS sanitization in HTML email messages, enabling attackers to craft malicious stylesheets that reference local network hosts. The vulnerability affects all instances processing HTML emails with external stylesheet links, and does not require authentication due to the unauthenticated attack vector (AV:N, PR:N in CVSS). Vendor-released patch: versions 1.6.14, 1.7-rc5, and later.

Technical ContextAI

Roundcube Webmail's HTML email rendering engine fails to properly sanitize Cascading Style Sheets (CSS) before displaying user-supplied content. CWE-669 (Improper Initialization) indicates the root cause relates to inadequate initialization or configuration of CSS parsing/filtering mechanisms. When processing HTML email messages, stylesheet declarations with @import or link directives pointing to internal network resources (e.g., http://192.168.x.x/ or http://localhost/) can be executed server-side or cause information leakage through HTTP requests made by the webmail server. The vulnerability exploits the fact that CSS fetching operations can trigger network requests to arbitrary URLs specified in the email, potentially allowing reconnaissance of internal network topology or access to metadata through HTTP response analysis.

RemediationAI

Upgrade Roundcube Webmail to version 1.6.14 or later (for 1.6.x branch) or 1.7-rc5 and subsequent stable releases (for 1.7+ branch). Vendor-released patches are available at https://github.com/roundcube/roundcubemail/releases/tag/1.6.14 and https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14. If immediate upgrade is not feasible, restrict HTML email rendering for untrusted senders or implement a network-level Content Security Policy (CSP) header to block stylesheet fetches to private IP ranges; however, patching is the primary mitigation. Administrators should prioritize this update given the low barrier to exploitation (unauthenticated, network-based attack).

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-35540 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy