Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Roundcube's HTML sanitization path for message rendering allows loopback, localhost, RFC1918, link-local, and ULA URLs even when remote content loading is disabled. A remote attacker can send an HTML email that causes the victim's browser to issue requests to local or private-network services simply by opening the message preview.
AnalysisAI
Roundcube Webmail's HTML sanitizer fails to block loopback, localhost, RFC1918, link-local, and ULA addresses when rendering HTML email, even when the user has disabled remote content loading. An unauthenticated remote attacker (PR:N per CVSS) can send a crafted HTML email that - upon the victim previewing it - causes their browser to issue HTTP requests to internal or private-network services, enabling blind probing or interaction with local infrastructure. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis, though the changed scope (S:C in CVSS) reflects that impact extends to resources beyond Roundcube itself.
Technical ContextAI
Roundcube Webmail (CPE: cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*) includes an HTML sanitization pipeline that strips or rewrites potentially dangerous content before rendering messages in the browser. The root cause is CWE-184 (Incomplete List of Disallowed Inputs): the URL blocklist enforced by the sanitizer when remote content loading is disabled did not account for the full range of local address spaces - IPv4 loopback (127.0.0.0/8), 'localhost', RFC1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local (169.254.0.0/16), and IPv6 ULA (fc00::/7). Because these address families were omitted from the disallowed list, HTML img tags, CSS url() references, or other resource-loading vectors pointing to these addresses are permitted by the sanitizer and fetched by the victim's browser, not by the Roundcube server itself. The CVSS Scope:Changed rating reflects that the impacted component (the victim's internal network) is distinct from the vulnerable component (the webmail sanitizer).
RemediationAI
The primary remediation is to upgrade Roundcube Webmail to version 1.7.1 (for 1.7.x deployments) or 1.6.16 (for 1.6.x deployments), both confirmed as vendor-released patches. The specific upstream fixes are in commits faf867432f51ebbe100382a70a9e3c042415ee1b and 7b52353653a67e6073b97d70eb94047132b78556 on the Roundcube GitHub repository. If immediate patching is not possible, a network-level compensating control is to use a Content Security Policy (CSP) header on the Roundcube deployment that restricts connect-src and img-src to disallow private and loopback address ranges; note that CSP enforcement depends on the browser and may not cover all resource-loading vectors. Additionally, network egress controls preventing browser traffic from Roundcube user workstations to RFC1918 ranges would reduce the blast radius, at the cost of legitimate internal service access. Backups are recommended before upgrading, per vendor guidance.
Same weakness CWE-184 – Incomplete List of Disallowed Inputs
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32893
GHSA-mhgj-jxxf-gxj9