Insufficient CSS Sanitization in Roundcube Webmail Products
CVE-2026-48843

7.2HIGH

Key Information:

Vendor: Roundcube
Status: Webmail
Vendor: CVE Published:; 25 May 2026

What is CVE-2026-48843?

Certain versions of Roundcube Webmail exhibit a vulnerability linked to inadequate sanitization of Cascading Style Sheets (CSS) used in HTML email messages. This can potentially lead to issues such as Server-Side Request Forgery (SSRF) or unintentional information disclosure, particularly if the stylesheet links direct to resources on the local network. The root cause relates to an insufficient resolution of a previous issue documented in CVE-2026-35540.

Affected Version(s)

Webmail 1.6.14 < 1.6.16

Webmail 1.7.0 < 1.7.1

References

https://roundcube.net/news/2026/05/24/security-updates-1....

https://github.com/roundcube/roundcubemail/releases/tag/1...

https://github.com/roundcube/roundcubemail/commit/ab96c88...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2026
Vulnerability Reserved
May 25, 2026

CVE-2026-48843 Data

JSON