CVE-2026-35545

CVSS v2.0

8.5

High

Vector

AV:N/AC:L/Au:N/C:C/I:P/A:N

Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions prior to 1.5.15 and prior to 1.6.15

Description A flaw exists in Roundcube Webmail that allows bypassing the remote image blocking feature through specially crafted SVG content within email messages. This bypass can potentially lead to information disclosure or access-control bypass. The issue involves the animate element utilizing attributes such as fill, filter, and stroke.

Recommendations Update Roundcube Webmail to version 1.5.15 or later. Update Roundcube Webmail to version 1.6.15 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-669

Related Identifiers

BDU:2026-06325

CVE-2026-35545

GHSA-W846-74JR-76CV

MGASA-2026-0089

Affected Products

Red Os

Roundcube Webmail

CVE-2026-35545

Weakness Enumeration

Related Identifiers

Affected Products

References · 23