PT-2026-43108 · Unknown · Roundcube Webmail
Zazy
·
Published
2026-05-24
·
Updated
2026-05-27
·
CVE-2026-48845
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Roundcube Webmail versions 1.6.14 through 1.6.16
Roundcube Webmail versions prior to 1.7.1
Description
Remote image blocking is not honored for URLs pointing to local or private destinations. This issue can be triggered via a text/html email message, potentially leading to information disclosure or privilege escalation.
Recommendations
Update versions 1.6.14 through 1.6.16 to a patched release.
Update versions prior to 1.7.1 to version 1.7.1.
Exploit
Fix
LPE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Roundcube Webmail