CVE-2026-48845
MEDIUM
NVD
CVSS Score
6.5
Severity
MEDIUM
Published
May 25, 2026
Vendor
unknown
Description
In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message.
References
- https://github.com/roundcube/roundcubemail/commit/7b52353653a67e6073b97d70eb94047132b78556
- https://github.com/roundcube/roundcubemail/commit/d82b8c6cd06c378eca6d647ccd548f4ff1c68659
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.16
- https://github.com/roundcube/roundcubemail/releases/tag/1.7.1
- https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1