Skip to main content

Roundcube Webmail CVE-2026-48846

| EUVD-2026-31725 MEDIUM
Incorrect Resource Transfer Between Spheres (CWE-669)
2026-05-25 mitre GHSA-xx87-33v7-6x23
Information Disclosure Webmail
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 08, 2026 - 12:43 vuln.today
Analysis Generated
Jun 08, 2026 - 12:43 vuln.today
Patch available
May 26, 2026 - 14:01 EUVD

DescriptionCVE.org

In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass.

AnalysisAI

Remote image blocking in Roundcube Webmail 1.6.x and 1.7.x can be silently bypassed by embedding a crafted CSS var() expression in an HTML email, causing the victim's browser to fetch attacker-controlled external resources despite the privacy control being active. This leads to information disclosure - including IP address leakage and email-open tracking - and potential access-control bypass. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft HTML email with CSS var() referencing attacker-controlled URL
Delivery
Send email to Roundcube target
Exploit
Victim opens email in Roundcube HTML view
Execution
Browser resolves CSS var() post-sanitizer
Persist
External resource fetch bypasses remote image block
Impact
Attacker server logs victim IP, timestamp, and read confirmation
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target deployment must be running Roundcube Webmail 1.6.0-1.6.15 or 1.7.0 with HTML email rendering enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 score (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) reflects a network-accessible, low-complexity flaw requiring no attacker authentication. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a specially crafted HTML email to a Roundcube Webmail user, where the message body contains a CSS style block or inline style using a var() reference that resolves to an attacker-controlled image URL. When the victim views the email in their Roundcube session with HTML rendering enabled, the browser processes the CSS var() at render time - after Roundcube's sanitizer has already passed the content - and silently fetches the external resource, delivering the victim's IP address, browser fingerprint, and precise read timestamp to the attacker's server. …
Remediation Upgrade to Roundcube Webmail 1.6.16 or 1.7.1, released 2026-05-24, per the vendor advisory at https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed

Share

CVE-2026-48846 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy