CVE-2026-35543 PUBLISHED

Assigner: mitre
Reserved: 03.04.2026 Published: 03.04.2026 Updated: 03.04.2026

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Roundcube
Product	Webmail
Versions	Default: unaffected affected from 0 to 1.5.14 (excl.) affected from 1.6.0 to 1.6.14 (excl.)

References

https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5
https://github.com/roundcube/roundcubemail/commit/82ab5eca7b332fce7a174b2b987f0957a66377cd
https://github.com/roundcube/roundcubemail/releases/tag/1.6.14
https://github.com/roundcube/roundcubemail/commit/39471343ee081ce1d31696c456a2c163462daae3
https://github.com/roundcube/roundcubemail/releases/tag/1.5.14
https://github.com/roundcube/roundcubemail/commit/1a63e01542bff42aaa71c00c4c279a09ef31f20c

Problem Types

CWE-669 Incorrect Resource Transfer Between Spheres CWE