CVE-2026-48843 PUBLISHED

Assigner: mitre
Reserved: 25.05.2026 Published: 25.05.2026 Updated: 26.05.2026

Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. The issue stems from an insufficient fix for CVE-2026-35540.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CVSS Score: 7.2

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Roundcube
Product	Webmail
Versions	Default: unaffected affected from 1.6.14 to 1.6.16 (excl.) affected from 1.7.0 to 1.7.1 (excl.)

References

https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
https://github.com/roundcube/roundcubemail/releases/tag/1.7.1
https://github.com/roundcube/roundcubemail/commit/ab96c88bfd888866ec5e02190b19618db283923a
https://github.com/roundcube/roundcubemail/releases/tag/1.6.16
https://github.com/roundcube/roundcubemail/commit/cb3fc9041e91640ba9ba49ee7b2147c176ebf5a1

Problem Types

CWE-918 Server-Side Request Forgery (SSRF) CWE