Insufficient CSS Sanitization in Roundcube Webmail
CVE-2026-62643

7.2HIGH

Key Information:

Vendor

Roundcube

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-62643?

In Roundcube Webmail versions prior to 1.6.17 and the 1.7.x series before 1.7.2, an insufficient sanitization of Cascading Style Sheets (CSS) in HTML email messages has been identified. This weakness can potentially allow Server-Side Request Forgery (SSRF) or Information Disclosure when stylesheet links are directed to local network hosts. The vulnerability persists as it has not been adequately addressed in fixes for earlier related issues.

Affected Version(s)

Webmail 1.6.0 < 1.6.17

Webmail 1.7.0 < 1.7.2

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.