What is the CVSS score of EUVD-2026-31720?

EUVD-2026-31720 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for EUVD-2026-31720?

Yes, a patch is available for EUVD-2026-31720. Update the affected software to the latest version immediately.

Roundcube Webmail EUVD-2026-31720

| CVE-2026-48845 MEDIUM

Incorrect Resource Transfer Between Spheres (CWE-669)

2026-05-25 mitre

GHSA-g4h2-2gp2-j3wq

Information Disclosure Privilege Escalation Webmail

6.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

6.5 MEDIUM

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

SUSE

MEDIUM

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

Jun 08, 2026 - 11:30 vuln.today

Analysis Generated

Jun 08, 2026 - 11:30 vuln.today

Patch available

May 26, 2026 - 14:01 EUVD

DescriptionCVE.org

In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message.

AnalysisAI

Remote image blocking bypass in Roundcube Webmail allows unauthenticated network attackers to embed HTML email image tags pointing to local or private network destinations, causing the server to fetch those resources despite the 'block remote images' policy being active. Affected versions are 1.6.14 through 1.6.15 and 1.7.0, with vendor-released patches 1.6.16 and 1.7.1 available since May 2026 per the official advisory. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft HTML email with RFC 1918 or loopback image URL

Delivery

Deliver email to target Roundcube user

Exploit

Roundcube server processes HTML email body

Execution

Server fetches local/private URL bypassing image block

Persist

Internal service response accessed by server

Impact

Attacker extracts credentials or maps internal infrastructure

Access

Craft HTML email with RFC 1918 or loopback image URL

Delivery

Deliver email to target Roundcube user

Exploit

Roundcube server processes HTML email body

Execution

Server fetches local/private URL bypassing image block

Persist

Internal service response accessed by server

Impact

Attacker extracts credentials or maps internal infrastructure

Vulnerability AssessmentAI

Exploitation	The vulnerability requires that the Roundcube server perform server-side fetching of image URLs present in HTML email bodies - which occurs during normal HTML email processing in affected versions when the remote image blocking feature is active but the URL validation logic fails to classify local/private addresses as blocked destinations. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS base score is 6.5 (Medium) with AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, reflecting low attack complexity and no authentication requirement, but bounded confidentiality and integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker sends a crafted HTML email to a Roundcube user with an embedded image tag pointing to an internal address such as http://169.254.169.254/latest/meta-data/ (AWS instance metadata) or an internal management console at an RFC 1918 address. When Roundcube processes the email server-side, it fetches the local URL despite remote image blocking being enabled, potentially leaking cloud credentials, internal API responses, or infrastructure details. …
Remediation	The primary fix is upgrading to Roundcube Webmail 1.7.1 for 1.7.x deployments, or 1.6.16 for 1.6.x deployments, per the vendor security advisory at https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Medium

Product	Status
openSUSE Leap 16.0	Fixed
openSUSE Tumbleweed	Fixed

EUVD-2026-31720 vulnerability details – vuln.today

Back

Roundcube Webmail EUVD-2026-31720

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code