CVE-2026-35544
CSS Sanitization Bypass in Roundcube Webmail Allows Style Injection
Publication date: 2026-04-03
Last updated on: 2026-04-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| roundcube | webmail | to 1.5.13 (inc) |
| roundcube | webmail | From 1.6.0 (inc) to 1.6.13 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-669 | The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Roundcube Webmail involves insufficient sanitization of Cascading Style Sheets (CSS) in HTML email messages. Specifically, the issue allows attackers to bypass a security mitigation that prevents the use of CSS 'position: fixed' by appending the '!important' directive. The original mitigation converted 'position: fixed' to 'position: absolute' to prevent UI overlay or clickjacking attacks, but it failed to detect 'position: fixed !important'. This allowed malicious CSS to retain fixed positioning, potentially enabling UI manipulation.
The fix updates the CSS sanitization function to detect any occurrence of 'fixed' in the position property value, including when combined with '!important', and converts it to 'position: absolute'. This prevents attackers from bypassing the mitigation using '!important'.
How can this vulnerability impact me? :
This vulnerability can impact users by allowing attackers to inject CSS with 'position: fixed !important' in HTML emails, which bypasses the intended sanitization. This can enable malicious UI overlays or clickjacking attacks within the Roundcube Webmail interface, potentially tricking users into interacting with hidden or disguised elements.
Such UI manipulation could lead to unauthorized actions or information disclosure by deceiving users through the webmail interface.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability relates to insufficient sanitization of CSS in HTML email messages within Roundcube Webmail, specifically involving the CSS property "position: fixed" combined with the "!important" directive.
Detection would involve inspecting HTML email messages processed by Roundcube Webmail for CSS styles that use "position: fixed !important" or similar variants that bypass sanitization.
Since the issue is in the sanitization function of Roundcube, you can detect attempts to exploit this vulnerability by searching for emails containing CSS with "position: fixed" combined with "!important".
Suggested commands to detect such CSS in stored emails or logs might include using grep or similar tools to search for the pattern "position: fixed !important" in email files or logs, for example:
- grep -i 'position: fixed !important' /path/to/roundcube/maildir/*
- grep -i 'position: fixed' /path/to/roundcube/maildir/* | grep '!important'
Additionally, monitoring or logging Roundcube's CSS sanitization function behavior or errors might help detect attempts to exploit this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to update Roundcube Webmail to version 1.5.14, 1.6.14, or later, where the vulnerability has been fixed.
The fix involves updating the CSS sanitization function to detect and convert any "position: fixed" CSS declarations, including those with the "!important" directive, to "position: absolute", preventing the bypass.
If immediate upgrading is not possible, consider applying the patch that modifies the sanitize_css_block function in program/lib/Roundcube/rcube_utils.php to detect "position: fixed" substrings rather than exact matches.
Also, review and restrict HTML email content or sanitize incoming emails to prevent malicious CSS injections.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Roundcube Webmail involves insufficient CSS sanitization that could allow attackers to bypass fixed position mitigation using the CSS !important directive. This could potentially enable UI overlay or clickjacking attacks.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, vulnerabilities that allow UI manipulation or clickjacking can increase the risk of unauthorized access or phishing attacks, which may indirectly impact compliance with data protection and privacy regulations.
The fix for this vulnerability improves the security posture of Roundcube Webmail by preventing CSS-based UI manipulation attacks, thereby reducing potential risks that could affect compliance with security requirements in common standards and regulations.