Vulnerability in Roundcube Webmail's Remote Image Blocking Feature
CVE-2026-35542

5.3MEDIUM

Key Information:

Vendor: Roundcube
Status: Webmail
Vendor: CVE Published:; 3 April 2026

What is CVE-2026-35542?

A vulnerability has been identified in Roundcube Webmail that allows bypassing the remote image blocking feature. This is achieved through manipulating a crafted background attribute of a BODY element within an email message. Such an exploit may lead to unintended information disclosure or unauthorized access-control circumvention. Users are encouraged to upgrade to versions 1.5.14 or 1.6.14 and above to safeguard against this issue.

Affected Version(s)

Webmail 0 < 1.5.14

Webmail 1.6.0 < 1.6.14

References

https://roundcube.net/news/2026/03/18/security-updates-1....

https://github.com/roundcube/roundcubemail/releases/tag/1...

https://github.com/roundcube/roundcubemail/commit/fd0e981...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2026
Vulnerability Reserved
Apr 3, 2026

CVE-2026-35542 Data

JSON