Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.
AnalysisAI
Roundcube Webmail 1.6.0 through 1.6.13 allows Server-Side Request Forgery (SSRF) and Information Disclosure through insufficient CSS sanitization in HTML email messages, enabling attackers to craft malicious stylesheets that reference local network hosts. The vulnerability affects all instances processing HTML emails with external stylesheet links, and does not require authentication due to the unauthenticated attack vector (AV:N, PR:N in CVSS). Vendor-released patch: versions 1.6.14, 1.7-rc5, and later.
Technical ContextAI
Roundcube Webmail's HTML email rendering engine fails to properly sanitize Cascading Style Sheets (CSS) before displaying user-supplied content. CWE-669 (Improper Initialization) indicates the root cause relates to inadequate initialization or configuration of CSS parsing/filtering mechanisms. When processing HTML email messages, stylesheet declarations with @import or link directives pointing to internal network resources (e.g., http://192.168.x.x/ or http://localhost/) can be executed server-side or cause information leakage through HTTP requests made by the webmail server. The vulnerability exploits the fact that CSS fetching operations can trigger network requests to arbitrary URLs specified in the email, potentially allowing reconnaissance of internal network topology or access to metadata through HTTP response analysis.
RemediationAI
Upgrade Roundcube Webmail to version 1.6.14 or later (for 1.6.x branch) or 1.7-rc5 and subsequent stable releases (for 1.7+ branch). Vendor-released patches are available at https://github.com/roundcube/roundcubemail/releases/tag/1.6.14 and https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14. If immediate upgrade is not feasible, restrict HTML email rendering for untrusted senders or implement a network-level Content Security Policy (CSP) header to block stylesheet fetches to private IP ranges; however, patching is the primary mitigation. Administrators should prioritize this update given the low barrier to exploitation (unauthenticated, network-based attack).
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18583
GHSA-vxg2-hhgr-37fx