Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.
Published: 2026-04-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: CSS Injection Leading to UI Manipulation
Action: Patch
AI Analysis

Impact

The vulnerability resides in Roundcube Webmail’s CSS sanitization routine for HTML email content. Because the filtering is insufficient, attackers can embed style directives that include the !important rule, which overrides the webmail interface’s fixed‑position styles. This allows a malicious email to rearrange or hide UI elements, potentially tricking users into interacting with deceptive controls or facilitating phishing attacks. The weakness corresponds to a lack of strict input validation and is identified as CWE‑669.

Affected Systems

Roundcube Webmail is the affected product. Versions earlier than 1.5.14 and 1.6.14 are vulnerable. Installing any release 1.5.13 or earlier, or 1.6.13 or earlier, exposes the system to this manipulation attack. Versions 1.5.14 and above, and 1.6.14 and above, contain the fix.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No public exploit code is known, and the vulnerability is not listed in the CISA KEV catalog, suggesting a low likelihood of widespread exploitation. The likely attack vector is the delivery of a malicious HTML email that the victim opens in the webmail client, enabling the attacker to inject the problematic CSS. Administrators should consider this a moderate risk and apply the patch promptly.

Generated by OpenCVE AI on April 3, 2026 at 07:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether the installed Roundcube version is earlier than 1.5.14 or 1.6.14.
  • Upgrade to the latest release, at least 1.5.14 or 1.6.14, which includes the CSS sanitization fix.
  • After upgrading, test mail rendering to confirm that style overrides no longer affect the webmail layout.
  • Continuously monitor incoming HTML emails for unexpected styling changes as an additional precaution.

Generated by OpenCVE AI on April 3, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xpqh-grpw-4xmg Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages
History

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Fixed-Position Mitigation Bypass via CSS Injection in Roundcube Webmail
First Time appeared Roundcube
Roundcube webmail
Vendors & Products Roundcube
Roundcube webmail

Fri, 03 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.
Weaknesses CWE-669
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Roundcube Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T12:50:12.338Z

Reserved: 2026-04-03T03:59:48.463Z

Link: CVE-2026-35544

cve-icon Vulnrichment

Updated: 2026-04-03T12:50:09.218Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-03T05:16:22.810

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-35544

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:15:50Z

Weaknesses