What is the CVSS score of EUVD-2026-31718?

EUVD-2026-31718 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Roundcube Webmail are affected by EUVD-2026-31718?

Roundcube Webmail versions 1.6.14-1.6.15 and 1.7.0 contain a server-side request forgery vulnerability delivered through HTML email styling that enables attackers to access internal networks and…. A patch is available.

How to fix or mitigate EUVD-2026-31718?

Within 24 hours: Identify all Roundcube instances and determine which versions are deployed. Within 7 days: Apply vendor patch to all instances running Roundcube 1.6.14-1.6.15 and 1.7.0. Within 30 days: Verify patch deployment is complete, audit mail gateway CSS filtering rules, and review server logs for indicators of attempted SSRF exploitation.

Roundcube Webmail EUVD-2026-31718

| CVE-2026-48843 HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2026-05-25 mitre

GHSA-2hww-8583-w9wf

Information Disclosure SSRF Webmail

7.2

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.2 HIGH

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

SUSE

HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

Jun 08, 2026 - 10:26 vuln.today

Analysis Generated

Jun 08, 2026 - 10:26 vuln.today

Patch available

May 26, 2026 - 14:01 EUVD

DescriptionCVE.org

Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. The issue stems from an insufficient fix for CVE-2026-35540.

AnalysisAI

Server-Side Request Forgery and information disclosure in Roundcube Webmail 1.6.14-1.6.15 and 1.7.0 allows remote attackers to force the webmail server to fetch internal network resources by embedding malicious stylesheet links in HTML email messages. The flaw is a regression of CVE-2026-35540 caused by insufficient CSS sanitization, and while no public exploit identified at time of analysis, the EPSS score sits at a low 0.03% (9th percentile) despite the vulnerability being trivially triggerable by sending a crafted email.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify Roundcube target version

Delivery

Craft HTML email with malicious CSS link to internal URL

Exploit

Send email to victim user

Install

Victim opens message in Roundcube webmail

Server-side CSS sanitizer fails to strip link

Execute

Roundcube fetches internal resource

Impact

Exfiltrate response or infer internal topology

Recon

Identify Roundcube target version

Delivery

Craft HTML email with malicious CSS link to internal URL

Exploit

Send email to victim user

Install

Victim opens message in Roundcube webmail

Server-side CSS sanitizer fails to strip link

Execute

Roundcube fetches internal resource

Impact

Exfiltrate response or infer internal topology

Vulnerability AssessmentAI

Exploitation	The Roundcube server must have the HTML email rendering pipeline active (default behavior) and have network reachability from its PHP runtime to the internal target the attacker wishes to probe - exploitation requires the victim user to open or preview the malicious HTML email in the Roundcube interface so the server-side stylesheet fetcher executes. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N (7.2 High) reflects a network-reachable, unauthenticated trigger with changed scope and low confidentiality/integrity impact - appropriate for an SSRF where the attacker pivots from the email subsystem to internal services. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker emails a Roundcube user an HTML message containing a crafted <link rel='stylesheet'> or @import referencing http://169.254.169.254/latest/meta-data/ or an internal admin URL such as http://10.0.0.5/admin. When the recipient opens or previews the message, the Roundcube server fetches the URL on the attacker's behalf, returning content or timing/response signals that disclose internal network topology, cloud IAM credentials, or service banners. …
Remediation	Vendor-released patch: upgrade to Roundcube Webmail 1.6.16 (https://github.com/roundcube/roundcubemail/releases/tag/1.6.16) for the 1.6.x branch or 1.7.1 (https://github.com/roundcube/roundcubemail/releases/tag/1.7.1) for the 1.7.x branch, per the advisory at https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Roundcube instances and determine which versions are deployed. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High

Product	Status
openSUSE Leap 16.0	Fixed
openSUSE Tumbleweed	Fixed

EUVD-2026-31718 vulnerability details – vuln.today

Back

Roundcube Webmail EUVD-2026-31718

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code