EUVD-2026-18587

| CVE-2026-35542 MEDIUM
2026-04-03 mitre GHSA-5hf6-crg4-fg59
5.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch Released
Apr 04, 2026 - 08:30 nvd
Patch available
EUVD ID Assigned
Apr 03, 2026 - 04:30 euvd
EUVD-2026-18587
Analysis Generated
Apr 03, 2026 - 04:30 vuln.today
CVE Published
Apr 03, 2026 - 03:54 nvd
MEDIUM 5.3

Tags

Information Disclosure

Description

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.

Analysis

Roundcube Webmail before versions 1.5.14 and 1.6.14 allows unauthenticated remote attackers to bypass the remote image blocking security feature through a crafted background attribute in a BODY element of an email message, enabling information disclosure via tracking pixels or other image-based reconnaissance. The vulnerability affects all versions prior to 1.5.14 and 1.6.x versions before 1.6.14, with CVSS 5.3 (medium severity) reflecting the low confidentiality impact but lack of authentication requirements.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +26
POC: 0

Share

EUVD-2026-18587 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy