Skip to main content

Roundcube Webmail EUVDEUVD-2026-32893

| CVE-2026-9818 MEDIUM
Incomplete List of Disallowed Inputs (CWE-184)
2026-05-28 OCD GHSA-mhgj-jxxf-gxj9
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 28, 2026 - 13:21 vuln.today
Analysis Generated
May 28, 2026 - 13:21 vuln.today

DescriptionCVE.org

Roundcube's HTML sanitization path for message rendering allows loopback, localhost, RFC1918, link-local, and ULA URLs even when remote content loading is disabled. A remote attacker can send an HTML email that causes the victim's browser to issue requests to local or private-network services simply by opening the message preview.

AnalysisAI

Roundcube Webmail's HTML sanitizer fails to block loopback, localhost, RFC1918, link-local, and ULA addresses when rendering HTML email, even when the user has disabled remote content loading. An unauthenticated remote attacker (PR:N per CVSS) can send a crafted HTML email that - upon the victim previewing it - causes their browser to issue HTTP requests to internal or private-network services, enabling blind probing or interaction with local infrastructure. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis, though the changed scope (S:C in CVSS) reflects that impact extends to resources beyond Roundcube itself.

Technical ContextAI

Roundcube Webmail (CPE: cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*) includes an HTML sanitization pipeline that strips or rewrites potentially dangerous content before rendering messages in the browser. The root cause is CWE-184 (Incomplete List of Disallowed Inputs): the URL blocklist enforced by the sanitizer when remote content loading is disabled did not account for the full range of local address spaces - IPv4 loopback (127.0.0.0/8), 'localhost', RFC1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local (169.254.0.0/16), and IPv6 ULA (fc00::/7). Because these address families were omitted from the disallowed list, HTML img tags, CSS url() references, or other resource-loading vectors pointing to these addresses are permitted by the sanitizer and fetched by the victim's browser, not by the Roundcube server itself. The CVSS Scope:Changed rating reflects that the impacted component (the victim's internal network) is distinct from the vulnerable component (the webmail sanitizer).

RemediationAI

The primary remediation is to upgrade Roundcube Webmail to version 1.7.1 (for 1.7.x deployments) or 1.6.16 (for 1.6.x deployments), both confirmed as vendor-released patches. The specific upstream fixes are in commits faf867432f51ebbe100382a70a9e3c042415ee1b and 7b52353653a67e6073b97d70eb94047132b78556 on the Roundcube GitHub repository. If immediate patching is not possible, a network-level compensating control is to use a Content Security Policy (CSP) header on the Roundcube deployment that restricts connect-src and img-src to disallow private and loopback address ranges; note that CSP enforcement depends on the browser and may not cover all resource-loading vectors. Additionally, network egress controls preventing browser traffic from Roundcube user workstations to RFC1918 ranges would reduce the blast radius, at the cost of legitimate internal service access. Backups are recommended before upgrading, per vendor guidance.

Vendor StatusVendor

SUSE

Severity: Medium

Share

EUVD-2026-32893 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy