What is the CVSS score of EUVD-2026-18593?

EUVD-2026-18593 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for EUVD-2026-18593?

Yes, a patch is available for EUVD-2026-18593. Update the affected software to the latest version immediately.

Webmail EUVD-2026-18593

| CVE-2026-35545 MEDIUM

Incorrect Resource Transfer Between Spheres (CWE-669)

2026-04-03 mitre

GHSA-w846-74jr-76cv

Information Disclosure Webmail

5.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

5.3 MEDIUM

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

Patch released

Apr 04, 2026 - 08:30 nvd

Patch available

EUVD ID Assigned

Apr 03, 2026 - 04:30 euvd

EUVD-2026-18593

Analysis Generated

Apr 03, 2026 - 04:30 vuln.today

CVE Published

Apr 03, 2026 - 04:02 nvd

MEDIUM 5.3

DescriptionCVE.org

An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.

AnalysisAI

Roundcube Webmail before versions 1.5.15 and 1.6.15 fails to properly sanitize SVG content in email messages, allowing the remote image blocking feature to be bypassed via SVG animate elements with malicious attributeName values. This vulnerability enables unauthenticated attackers to bypass access controls and potentially disclose information through image loading, affecting all Roundcube installations using vulnerable versions.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) indicates a moderate vulnerability with a score of 5.3, reflecting network-accessible, low-complexity attack requiring no privileges or user interaction, with limited integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker crafts a malicious email containing an embedded SVG element with an animate tag using attributeName='fill' or attributeName='filter' to reference an external image URL. When a victim using vulnerable Roundcube opens this email, the webmail client's image blocking feature fails to sanitize the SVG payload, allowing the external resource to be loaded. …
Remediation	Vendor-released patches are available: upgrade Roundcube Webmail to version 1.5.15 or later (for 1.5.x users) or version 1.6.15 or later (for 1.6.x users). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-18593 vulnerability details – vuln.today

Back

Webmail EUVD-2026-18593

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Share

External POC / Exploit Code