CVE-2026-35542

Published: Apr 03, 2026 Last Modified: Apr 03, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 5,3

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: low

Integrity: none

Availability: none

Description

AI Translation Available

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.

669

Incorrect Resource Transfer Between Spheres

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity

Potential Impacts:

Read Application Data Modify Application Data Unexpected State

Applicable Platforms

All platforms may be affected

View CWE Details

https://github.com/roundcube/roundcubemail/commit/e052328e3…

https://github.com/roundcube/roundcubemail/commit/e052328e3dc75f13adc2e314eaa40…

https://github.com/roundcube/roundcubemail/commit/fd0e98178…

https://github.com/roundcube/roundcubemail/commit/fd0e98178db5c73eaa93d005b5618…

https://github.com/roundcube/roundcubemail/commit/fde14d01a…

https://github.com/roundcube/roundcubemail/commit/fde14d01adc9f37893cd82b635883…

https://github.com/roundcube/roundcubemail/releases/tag/1.5…

https://github.com/roundcube/roundcubemail/releases/tag/1.5.14

https://github.com/roundcube/roundcubemail/releases/tag/1.6…

https://github.com/roundcube/roundcubemail/releases/tag/1.6.14

https://github.com/roundcube/roundcubemail/releases/tag/1.7…

https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5

https://roundcube.net/news/2026/03/18/security-updates-1.7-…

https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14