CVE-2026-35543
MEDIUM
NVD
CVSS Score
5.3
Severity
MEDIUM
Published
Apr 03, 2026
Vendor
unknown
Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.
References
- https://github.com/roundcube/roundcubemail/commit/1a63e01542bff42aaa71c00c4c279a09ef31f20c
- https://github.com/roundcube/roundcubemail/commit/39471343ee081ce1d31696c456a2c163462daae3
- https://github.com/roundcube/roundcubemail/commit/82ab5eca7b332fce7a174b2b987f0957a66377cd
- https://github.com/roundcube/roundcubemail/releases/tag/1.5.14
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.14