CVE-2026-26079
CSS Injection in Roundcube Webmail Before 1.5.13 and
Publication date: 2026-02-11
Last updated on: 2026-02-11
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| roundcube | webmail | to 1.5.13 (exc) |
| roundcube | webmail | to 1.6.13 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26079 is a CSS injection vulnerability in Roundcube Webmail versions before 1.5.13 and 1.6 before 1.6.13. The issue arises because comments in CSS are mishandled, allowing attackers to inject malicious CSS code.
The vulnerability involves improper sanitization of CSS input, where CSS comments and HTML comments within CSS were not correctly removed or detected. This allowed attackers to hide malicious CSS code inside comments or use escape sequences to bypass filters.
The fix involved improving the sanitization process by introducing a dedicated method to remove CSS and HTML comments, detecting residual or nested comments, blocking escape sequences used for obfuscation, handling malformed CSS such as missing closing braces, and restricting dangerous CSS properties and unsafe URLs.
How can this vulnerability impact me? :
This vulnerability can allow attackers to inject malicious CSS into the Roundcube Webmail interface.
- Malicious CSS injection can compromise the user interface integrity, potentially altering how the webmail client appears or behaves.
- Attackers might use CSS injection to leak sensitive information or perform UI manipulation attacks.
- The vulnerability could also enable bypassing of remote image blocking protections via SVG content, leading to privacy breaches or user tracking.
Overall, exploitation of this vulnerability could lead to reduced security and privacy for users of affected Roundcube Webmail versions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying malicious CSS injection attempts, particularly those involving CSS comments or escape sequences that are improperly sanitized by vulnerable Roundcube Webmail versions.'}, {'type': 'paragraph', 'content': 'The vulnerability is related to mishandling of CSS comments and SVG content in Roundcube Webmail before versions 1.5.13 and 1.6.13.'}, {'type': 'paragraph', 'content': "To detect exploitation attempts on your system or network, you can monitor HTTP requests to the Roundcube Webmail interface for suspicious CSS payloads containing comment patterns such as '/*' or '<!--', or escape sequences like '\\xx' that are indicators of CSS injection attempts."}, {'type': 'paragraph', 'content': 'While no specific commands are provided in the resources, you can use network monitoring tools or web application firewalls (WAF) to filter or log requests containing these suspicious CSS patterns.'}, {'type': 'paragraph', 'content': 'For example, using command-line tools like grep on web server logs to search for suspicious CSS comment patterns:'}, {'type': 'list_item', 'content': "grep -i -E '\\/\\*|<!--' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep -i -E '\\\\[0-9a-fA-F]{2}' /var/log/apache2/access.log"}, {'type': 'paragraph', 'content': 'These commands search for CSS comment delimiters and hexadecimal escape sequences in HTTP requests, which are relevant to the vulnerability.'}, {'type': 'paragraph', 'content': 'Additionally, checking the Roundcube version installed on your system can help detect if you are running a vulnerable version (before 1.5.13 or 1.6.13).'}] [1, 8, 9]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary and immediate mitigation step is to upgrade Roundcube Webmail to the fixed versions 1.5.13 or 1.6.13, which address the CSS injection vulnerability and related SVG content bypass.'}, {'type': 'paragraph', 'content': 'These updates include fixes that properly sanitize CSS comments, detect malicious escape sequences, and improve SVG handling to prevent injection attacks.'}, {'type': 'paragraph', 'content': 'Before upgrading, it is recommended to back up your Roundcube data and configuration.'}, {'type': 'paragraph', 'content': "If immediate upgrade is not possible, consider implementing web application firewall (WAF) rules to block or monitor suspicious CSS payloads containing comment delimiters ('/*', '<!--') or escape sequences, as these are indicators of attempted exploitation."}, {'type': 'paragraph', 'content': 'Also, review and restrict user inputs that can include CSS or SVG content, and monitor logs for suspicious activity.'}] [4, 5, 7, 8, 9]