CVE-2026-35544
Received Received - Intake
CSS Sanitization Bypass in Roundcube Webmail Allows Style Injection

Publication date: 2026-04-03

Last updated on: 2026-04-09

Assigner: MITRE

Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35544
EUVD
EUVD-2026-18591
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
roundcube webmail to 1.5.13 (inc)
roundcube webmail From 1.6.0 (inc) to 1.6.13 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Roundcube Webmail involves insufficient sanitization of Cascading Style Sheets (CSS) in HTML email messages. Specifically, the issue allows attackers to bypass a security mitigation that prevents the use of CSS 'position: fixed' by appending the '!important' directive. The original mitigation converted 'position: fixed' to 'position: absolute' to prevent UI overlay or clickjacking attacks, but it failed to detect 'position: fixed !important'. This allowed malicious CSS to retain fixed positioning, potentially enabling UI manipulation.

The fix updates the CSS sanitization function to detect any occurrence of 'fixed' in the position property value, including when combined with '!important', and converts it to 'position: absolute'. This prevents attackers from bypassing the mitigation using '!important'.

Impact Analysis

This vulnerability can impact users by allowing attackers to inject CSS with 'position: fixed !important' in HTML emails, which bypasses the intended sanitization. This can enable malicious UI overlays or clickjacking attacks within the Roundcube Webmail interface, potentially tricking users into interacting with hidden or disguised elements.

Such UI manipulation could lead to unauthorized actions or information disclosure by deceiving users through the webmail interface.

Detection Guidance

This vulnerability relates to insufficient sanitization of CSS in HTML email messages within Roundcube Webmail, specifically involving the CSS property "position: fixed" combined with the "!important" directive.

Detection would involve inspecting HTML email messages processed by Roundcube Webmail for CSS styles that use "position: fixed !important" or similar variants that bypass sanitization.

Since the issue is in the sanitization function of Roundcube, you can detect attempts to exploit this vulnerability by searching for emails containing CSS with "position: fixed" combined with "!important".

Suggested commands to detect such CSS in stored emails or logs might include using grep or similar tools to search for the pattern "position: fixed !important" in email files or logs, for example:

  • grep -i 'position: fixed !important' /path/to/roundcube/maildir/*
  • grep -i 'position: fixed' /path/to/roundcube/maildir/* | grep '!important'

Additionally, monitoring or logging Roundcube's CSS sanitization function behavior or errors might help detect attempts to exploit this vulnerability.

Mitigation Strategies

The primary mitigation is to update Roundcube Webmail to version 1.5.14, 1.6.14, or later, where the vulnerability has been fixed.

The fix involves updating the CSS sanitization function to detect and convert any "position: fixed" CSS declarations, including those with the "!important" directive, to "position: absolute", preventing the bypass.

If immediate upgrading is not possible, consider applying the patch that modifies the sanitize_css_block function in program/lib/Roundcube/rcube_utils.php to detect "position: fixed" substrings rather than exact matches.

Also, review and restrict HTML email content or sanitize incoming emails to prevent malicious CSS injections.

Compliance Impact

The vulnerability in Roundcube Webmail involves insufficient CSS sanitization that could allow attackers to bypass fixed position mitigation using the CSS !important directive. This could potentially enable UI overlay or clickjacking attacks.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, vulnerabilities that allow UI manipulation or clickjacking can increase the risk of unauthorized access or phishing attacks, which may indirectly impact compliance with data protection and privacy regulations.

The fix for this vulnerability improves the security posture of Roundcube Webmail by preventing CSS-based UI manipulation attacks, thereby reducing potential risks that could affect compliance with security requirements in common standards and regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35544. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart