In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. NOTE: this issue exists because of insufficient fixes for CVE-2026-35540 and CVE-2026-48843.
Metrics
Affected Vendors & Products
References
History
Tue, 14 Jul 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 14 Jul 2026 16:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. NOTE: this issue exists because of insufficient fixes for CVE-2026-35540 and CVE-2026-48843. | |
| First Time appeared |
Roundcube
Roundcube webmail |
|
| Weaknesses | CWE-918 | |
| CPEs | cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Roundcube
Roundcube webmail |
|
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2026-07-14T17:17:16.894Z
Reserved: 2026-07-14T15:51:46.593Z
Link: CVE-2026-62643
Updated: 2026-07-14T17:16:57.343Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-14T17:45:03Z