CVE-2026-26079
Awaiting Analysis Awaiting Analysis - Queue
CSS Injection in Roundcube Webmail Before 1.5.13 and

Publication date: 2026-02-11

Last updated on: 2026-02-11

Assigner: MITRE

Description
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-11
Last Modified
2026-02-11
Generated
2026-06-16
AI Q&A
2026-02-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26079
EUVD
EUVD-2026-5945
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
roundcube webmail to 1.5.13 (exc)
roundcube webmail to 1.6.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26079 is a CSS injection vulnerability in Roundcube Webmail versions before 1.5.13 and 1.6 before 1.6.13. The issue arises because comments in CSS are mishandled, allowing attackers to inject malicious CSS code.

The vulnerability involves improper sanitization of CSS input, where CSS comments and HTML comments within CSS were not correctly removed or detected. This allowed attackers to hide malicious CSS code inside comments or use escape sequences to bypass filters.

The fix involved improving the sanitization process by introducing a dedicated method to remove CSS and HTML comments, detecting residual or nested comments, blocking escape sequences used for obfuscation, handling malformed CSS such as missing closing braces, and restricting dangerous CSS properties and unsafe URLs.

Impact Analysis

This vulnerability can allow attackers to inject malicious CSS into the Roundcube Webmail interface.

  • Malicious CSS injection can compromise the user interface integrity, potentially altering how the webmail client appears or behaves.
  • Attackers might use CSS injection to leak sensitive information or perform UI manipulation attacks.
  • The vulnerability could also enable bypassing of remote image blocking protections via SVG content, leading to privacy breaches or user tracking.

Overall, exploitation of this vulnerability could lead to reduced security and privacy for users of affected Roundcube Webmail versions.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying malicious CSS injection attempts, particularly those involving CSS comments or escape sequences that are improperly sanitized by vulnerable Roundcube Webmail versions.'}, {'type': 'paragraph', 'content': 'The vulnerability is related to mishandling of CSS comments and SVG content in Roundcube Webmail before versions 1.5.13 and 1.6.13.'}, {'type': 'paragraph', 'content': "To detect exploitation attempts on your system or network, you can monitor HTTP requests to the Roundcube Webmail interface for suspicious CSS payloads containing comment patterns such as '/*' or '<!--', or escape sequences like '\\xx' that are indicators of CSS injection attempts."}, {'type': 'paragraph', 'content': 'While no specific commands are provided in the resources, you can use network monitoring tools or web application firewalls (WAF) to filter or log requests containing these suspicious CSS patterns.'}, {'type': 'paragraph', 'content': 'For example, using command-line tools like grep on web server logs to search for suspicious CSS comment patterns:'}, {'type': 'list_item', 'content': "grep -i -E '\\/\\*|<!--' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep -i -E '\\\\[0-9a-fA-F]{2}' /var/log/apache2/access.log"}, {'type': 'paragraph', 'content': 'These commands search for CSS comment delimiters and hexadecimal escape sequences in HTTP requests, which are relevant to the vulnerability.'}, {'type': 'paragraph', 'content': 'Additionally, checking the Roundcube version installed on your system can help detect if you are running a vulnerable version (before 1.5.13 or 1.6.13).'}] [1, 8, 9]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary and immediate mitigation step is to upgrade Roundcube Webmail to the fixed versions 1.5.13 or 1.6.13, which address the CSS injection vulnerability and related SVG content bypass.'}, {'type': 'paragraph', 'content': 'These updates include fixes that properly sanitize CSS comments, detect malicious escape sequences, and improve SVG handling to prevent injection attacks.'}, {'type': 'paragraph', 'content': 'Before upgrading, it is recommended to back up your Roundcube data and configuration.'}, {'type': 'paragraph', 'content': "If immediate upgrade is not possible, consider implementing web application firewall (WAF) rules to block or monitor suspicious CSS payloads containing comment delimiters ('/*', '<!--') or escape sequences, as these are indicators of attempted exploitation."}, {'type': 'paragraph', 'content': 'Also, review and restrict user inputs that can include CSS or SVG content, and monitor logs for suspicious activity.'}] [4, 5, 7, 8, 9]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26079. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart