प्लेटफ़ॉर्म
roundcube
घटक
roundcube/roundcubemail
में ठीक किया गया
1.6.14
1.7-rc5
CVE-2026-35540 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Roundcube Webmail versions 1.6.0 and earlier. This flaw stems from inadequate sanitization of Cascading Style Sheets (CSS) within HTML email messages, potentially enabling attackers to initiate unauthorized requests to internal network resources or expose sensitive information. The vulnerability is fixed in version 1.7-rc5, and users are strongly advised to upgrade.
An attacker exploiting this SSRF vulnerability could craft malicious HTML emails containing stylesheet links pointing to internal network hosts. When a user opens such an email in Roundcube Webmail, the application would attempt to fetch the linked stylesheet, effectively making a request to the specified internal resource. This could lead to information disclosure if the internal resource exposes sensitive data, or allow an attacker to interact with internal services without proper authentication. The blast radius extends to any internal services accessible via HTTP/HTTPS from the Roundcube server, potentially including databases, internal APIs, or other critical infrastructure. Successful exploitation could allow an attacker to map the internal network and identify further attack vectors.
CVE-2026-35540 was publicly disclosed on 2026-04-03. No public proof-of-concept exploits are currently known. The EPSS score is likely to be assessed as LOW to MEDIUM, given the requirement for crafting malicious emails and the potential for limited impact without further exploitation. It is not currently listed on the CISA KEV catalog.
Organizations using Roundcube Webmail for internal or external email communication are at risk. Shared hosting environments where multiple users share the same Roundcube instance are particularly vulnerable, as a compromised user account could be leveraged to send malicious emails to other users. Legacy Roundcube deployments running older, unpatched versions are also at heightened risk.
• php / server:
find /var/www/roundcube/ -name 'config.inc.php' -exec grep -i 'disable_html_formatting' {} + • generic web:
curl -I http://your-roundcube-server/ | grep Content-Type• generic web:
grep -i "stylesheet url" /var/log/apache2/access.logdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.04% (13% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-35540 is to upgrade Roundcube Webmail to version 1.7-rc5 or later, which includes the necessary CSS sanitization fixes. If immediate upgrading is not feasible, consider implementing a temporary workaround by disabling HTML email rendering in Roundcube. This can be achieved by configuring Roundcube to only display plain text emails. Additionally, implement strict firewall rules to restrict outbound connections from the Roundcube server to only necessary external resources. Monitor Roundcube logs for unusual HTTP requests originating from within the server’s network interface. After upgrading, confirm the fix by sending a test email containing a stylesheet link to an internal resource and verifying that the request is blocked or handled securely.
Actualice Roundcube Webmail a la versión 1.6.14 o superior. Esta versión corrige la sanitización insuficiente de CSS en los mensajes de correo electrónico HTML, previniendo posibles ataques SSRF o divulgación de información. La actualización se puede realizar a través del panel de administración o descargando la última versión desde el sitio web oficial de Roundcube.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-35540 is a Server-Side Request Forgery (SSRF) vulnerability in Roundcube Webmail versions 1.6.0 and earlier, caused by insufficient CSS sanitization in HTML emails.
Yes, if you are running Roundcube Webmail versions 1.6.0 or earlier, you are affected by this vulnerability.
Upgrade Roundcube Webmail to version 1.7-rc5 or later to resolve the vulnerability. As a temporary workaround, disable HTML email rendering.
Currently, there are no known active exploits for CVE-2026-35540, but the vulnerability remains a potential risk.
Please refer to the official Roundcube security advisory for detailed information and updates: [https://roundcube.net/security/](https://roundcube.net/security/)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।