PT-2026-43106 · Unknown · Roundcube Webmail

Zazy

·

Published

2026-05-24

·

Updated

2026-05-27

·

CVE-2026-48843

CVSS v3.1

7.2

High

VectorAV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions 1.6.14 through 1.6.16 Roundcube Webmail versions prior to 1.7.1
Description Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to Server-Side Request Forgery (SSRF), where an attacker induces the server to make requests to an unintended location, or Information Disclosure. This occurs if stylesheet links point to local network hosts.
Recommendations Update to version 1.6.16-2.1 for versions 1.6.14 through 1.6.16. Update to version 1.7.1 for versions prior to 1.7.1.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-07449
CVE-2026-48843
OPENSUSE-SU-2026:10869-1
OPENSUSE-SU-2026:20852-1

Affected Products

Roundcube Webmail