CVE-2026-48843

Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. The issue stems from an insufficient fix for CVE-2026-35540.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/roundcube/roundcubemail/commit/ab96c88bfd888866ec5e02190b19618db283923a
https://github.com/roundcube/roundcubemail/commit/cb3fc9041e91640ba9ba49ee7b2147c176ebf5a1
https://github.com/roundcube/roundcubemail/releases/tag/1.6.16
https://github.com/roundcube/roundcubemail/releases/tag/1.7.1
https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1

Configurations

No configuration.

History

25 May 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-25 20:16

Updated : 2026-06-17 10:55

NVD link : CVE-2026-48843

Mitre link : CVE-2026-48843

CVE.ORG link : CVE-2026-48843

JSON object : View

Products Affected

No product.

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-48843", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-48843", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-26T12:50:34.552140Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 3.9}]}, "affected": [{"source": "cve@mitre.org", "affectedData": [{"vendor": "Roundcube", "product": "Webmail", "versions": [{"status": "affected", "version": "1.6.14", "lessThan": "1.6.16", "versionType": "semver"}, {"status": "affected", "version": "1.7.0", "lessThan": "1.7.1", "versionType": "semver"}], "defaultStatus": "unaffected"}]}], "published": "2026-05-25T20:16:36.767", "references": [{"url": "https://github.com/roundcube/roundcubemail/commit/ab96c88bfd888866ec5e02190b19618db283923a", "source": "cve@mitre.org"}, {"url": "https://github.com/roundcube/roundcubemail/commit/cb3fc9041e91640ba9ba49ee7b2147c176ebf5a1", "source": "cve@mitre.org"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.16", "source": "cve@mitre.org"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.1", "source": "cve@mitre.org"}, {"url": "https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1", "source": "cve@mitre.org"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "cve@mitre.org", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. The issue stems from an insufficient fix for CVE-2026-35540."}], "lastModified": "2026-06-17T10:55:17.000", "sourceIdentifier": "cve@mitre.org"}