CVE-2026-9818

Published: Mag 28, 2026 Last Modified: Mag 28, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 4,7
Source: 6064c9f1-42e5-4cc5-a67a-1636d7a9d3fd
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: required
Scope: changed
Confidentiality: none
Integrity: low
Availability: none

Description

AI Translation Available

Roundcube's HTML sanitization path for message rendering allows loopback, localhost, RFC1918, link-local, and ULA URLs even when remote content loading is disabled. A remote attacker can send an HTML email that causes the victim's browser to issue requests to local or private-network services simply by opening the message preview.

184

Incomplete List of Disallowed Inputs

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control
Potential Impacts:
Bypass Protection Mechanism
Applicable Platforms
All platforms may be affected
View CWE Details
https://advisories.orangecyberdefense.com/advisories/163
https://advisories.orangecyberdefense.com/advisories/163
https://github.com/roundcube/roundcubemail/commit/7b5235365…
https://github.com/roundcube/roundcubemail/commit/7b52353653a67e6073b97d70eb940…
https://github.com/roundcube/roundcubemail/commit/faf867432…
https://github.com/roundcube/roundcubemail/commit/faf867432f51ebbe100382a70a9e3…
https://github.com/roundcube/roundcubemail/releases/tag/1.6…
https://github.com/roundcube/roundcubemail/releases/tag/1.6.16
https://github.com/roundcube/roundcubemail/releases/tag/1.7…
https://github.com/roundcube/roundcubemail/releases/tag/1.7.1