CVE-2026-35545

| EUVD-2026-18593 MEDIUM
2026-04-03 mitre GHSA-w846-74jr-76cv
5.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch Released
Apr 04, 2026 - 08:30 nvd
Patch available
EUVD ID Assigned
Apr 03, 2026 - 04:30 euvd
EUVD-2026-18593
Analysis Generated
Apr 03, 2026 - 04:30 vuln.today
CVE Published
Apr 03, 2026 - 04:02 nvd
MEDIUM 5.3

Tags

Information Disclosure

Description

An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.

Analysis

Roundcube Webmail before versions 1.5.15 and 1.6.15 fails to properly sanitize SVG content in email messages, allowing the remote image blocking feature to be bypassed via SVG animate elements with malicious attributeName values. This vulnerability enables unauthenticated attackers to bypass access controls and potentially disclose information through image loading, affecting all Roundcube installations using vulnerable versions.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +26
POC: 0

Share

CVE-2026-35545 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy