CVE-2026-48843
Deferred Deferred - Pending Action
Cross-Site Scripting in Roundcube Webmail

Publication date: 2026-05-25

Last updated on: 2026-05-25

Assigner: MITRE

Description
Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. The issue stems from an insufficient fix for CVE-2026-35540.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-25
Last Modified
2026-05-25
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-48843
EUVD
EUVD-2026-31718
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
roundcube roundcube From 1.6.14 (inc) to 1.6.16 (inc)
roundcube roundcube to 1.7.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Roundcube Webmail involving insufficient CSS sanitization may lead to Server-Side Request Forgery (SSRF) or information disclosure. Such information disclosure could potentially expose sensitive data.

Exposure of sensitive information through this vulnerability could impact compliance with data protection regulations such as GDPR or HIPAA, which require safeguarding personal and health information against unauthorized access or disclosure.

However, specific impacts on compliance depend on the nature of the data exposed and the context of the deployment, which is not detailed in the provided information.

Executive Summary

This vulnerability affects Roundcube Webmail versions 1.6.x between 1.6.14 and 1.6.16, and 1.7.x before 1.7.1. It is caused by insufficient sanitization of Cascading Style Sheets (CSS) in HTML email messages. Specifically, if stylesheet links in emails point to local network hosts, this flaw may lead to Server-Side Request Forgery (SSRF) or information disclosure. The issue is related to an incomplete fix for a previous vulnerability identified as CVE-2026-35540.

Impact Analysis

The vulnerability can allow attackers to perform SSRF attacks or gain unauthorized access to sensitive information. By exploiting the insufficient CSS sanitization, attackers may cause the server to make unintended requests to internal network hosts or disclose information that should be protected, potentially compromising confidentiality and security.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48843. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart