CVE-2026-35543

EPSS 0.05%
Veröffentlicht 03.04.2026 03:57:06
Zuletzt bearbeitet 07.04.2026 20:40:11
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

NVD 2 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Roundcube ≫ Webmail Version < 1.5.14

Roundcube ≫ Webmail Version >= 1.6.0 < 1.6.14

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.141

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cve@mitre.org	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-669 Incorrect Resource Transfer Between Spheres

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14

Vendor Advisory

https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5

Release Notes

https://github.com/roundcube/roundcubemail/releases/tag/1.6.14

Release Notes

https://github.com/roundcube/roundcubemail/releases/tag/1.5.14

Release Notes

https://github.com/roundcube/roundcubemail/commit/82ab5eca7b332fce7a174b2b987f0957a66377cd

Patch

https://github.com/roundcube/roundcubemail/commit/39471343ee081ce1d31696c456a2c163462daae3

Patch