Insufficient CSS Sanitization in Roundcube Webmail Product
CVE-2026-35540

5.4MEDIUM

Key Information:

Vendor: Roundcube
Status: Webmail
Vendor: CVE Published:; 3 April 2026

What is CVE-2026-35540?

An insufficient sanitization flaw in Cascading Style Sheets (CSS) within HTML e-mail messages of Roundcube Webmail versions prior to 1.6.14 can result in Server-Side Request Forgery (SSRF) and potential information disclosure. This vulnerability arises when external stylesheet links, particularly those referencing local network hosts, are processed without adequate checks. Attackers might exploit this to access sensitive information on internal resources, emphasizing the need for prompt updates to secure environments from such risks.

Affected Version(s)

Webmail 1.6.0 < 1.6.14

References

https://roundcube.net/news/2026/03/18/security-updates-1....

https://github.com/roundcube/roundcubemail/releases/tag/1...

https://github.com/roundcube/roundcubemail/commit/579b68e...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2026
Vulnerability Reserved
Apr 3, 2026

CVE-2026-35540 Data

JSON