Vulnerability Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Roundcube | Webmail | < 1.5.14 |
Related Weaknesses (CWE)
References
- https://github.com/roundcube/roundcubemail/commit/1a63e01542bff42aaa71c00c4c279aPatch
- https://github.com/roundcube/roundcubemail/commit/39471343ee081ce1d31696c456a2c1Patch
- https://github.com/roundcube/roundcubemail/commit/82ab5eca7b332fce7a174b2b987f09Patch
- https://github.com/roundcube/roundcubemail/releases/tag/1.5.14Release Notes
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.14Release Notes
- https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5Release Notes
- https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14Vendor Advisory
FAQ
What is CVE-2026-35543?
CVE-2026-35543 is a vulnerability with a CVSS score of 5.3 (MEDIUM). An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead t...
How severe is CVE-2026-35543?
CVE-2026-35543 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-35543?
Check the references section above for vendor advisories and patch information. Affected products include: Roundcube Webmail.