PT-2026-43106 · Unknown · Roundcube Webmail
Zazy
·
Published
2026-05-24
·
Updated
2026-05-27
·
CVE-2026-48843
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Roundcube Webmail versions 1.6.14 through 1.6.16
Roundcube Webmail versions prior to 1.7.1
Description
Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to Server-Side Request Forgery (SSRF), where an attacker induces the server to make requests to an unintended location, or Information Disclosure. This occurs if stylesheet links point to local network hosts.
Recommendations
Update to version 1.6.16-2.1 for versions 1.6.14 through 1.6.16.
Update to version 1.7.1 for versions prior to 1.7.1.
Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Roundcube Webmail