Roundcube · Roundcube · CVE-2026-9818
**Name of the Vulnerable Software and Affected Versions**
Roundcube (affected versions not specified)
**Description**
The HTML sanitization path for message rendering allows loopback, localhost, RFC1918, link-local, and ULA URLs, even when remote content loading is disabled. A remote attacker can send an HTML email that causes the victim's browser to issue requests to local or private-network services when the message preview is opened.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.