What is the CVSS score of EUVD-2026-18589?

EUVD-2026-18589 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for EUVD-2026-18589?

Yes, a patch is available for EUVD-2026-18589. Update the affected software to the latest version immediately.

Webmail EUVD-2026-18589

| CVE-2026-35543 MEDIUM

Incorrect Resource Transfer Between Spheres (CWE-669)

2026-04-03 mitre

GHSA-j2g6-8rvg-7mf6

Information Disclosure Webmail

5.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

5.3 MEDIUM

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Patch released

Apr 04, 2026 - 08:30 nvd

Patch available

EUVD ID Assigned

Apr 03, 2026 - 04:30 euvd

EUVD-2026-18589

Analysis Generated

Apr 03, 2026 - 04:30 vuln.today

CVE Published

Apr 03, 2026 - 03:57 nvd

MEDIUM 5.3

DescriptionCVE.org

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.

AnalysisAI

Roundcube Webmail before versions 1.5.14 and 1.6.14 allows unauthenticated remote attackers to bypass the remote image blocking feature via SVG content containing animate attributes in email messages, leading to information disclosure or access control bypass. The vulnerability has a CVSS score of 5.3 (moderate severity) with low attack complexity and no authentication required, though the confidentiality impact is limited.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) indicates a network-accessible vulnerability requiring no privileges or user interaction, but with low confidentiality impact and no integrity or availability damage. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker sends a specially crafted HTML email to a Roundcube Webmail user containing an SVG element with animate attributes designed to fetch a remote tracking image or script. When the recipient opens the email, Roundcube's image blocking feature fails to recognize the SVG animate construct as a remote resource request, allowing the embedded SVG animation to execute and contact the attacker's server. …
Remediation	Organizations must upgrade Roundcube Webmail to version 1.5.14, 1.6.14, or later to remediate the vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-18589 vulnerability details – vuln.today

Back

Webmail EUVD-2026-18589

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Share

External POC / Exploit Code