CVE-2026-35544

MEDIUM

Roundcube Webmail <1.5.14 - CSS Sanitization Bypass

Title source: llm

Description

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.

References (7)

Scores

CVSS v3 5.3
EPSS 0.0004
EPSS Percentile 13.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-669
Status published
Products (4)
roundcube/roundcubemail 1.7-beta - 1.7-rc5Packagist
roundcube/webmail < 1.5.13
Roundcube/Webmail < 1.5.14
Roundcube/Webmail 1.6.0 - 1.6.14
Published Apr 03, 2026
Tracked Since Apr 03, 2026