Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.
Published: 2026-04-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: CSS injection bypasses fixed-position safeguards, potentially exposing hidden UI elements.
Action: Immediate Patch
AI Analysis

Impact

Insufficient CSS sanitization in Roundcube Webmail allows an attacker to inject CSS rules that utilize the !important directive to override elements positioned with fixed positioning. This can bypass the intended fixed-position mitigation and cause hidden or protected UI components to become visible. Based on the description, the vulnerability may expose content that is otherwise hidden, though the exact extent depends on the email layout.

Affected Systems

Roundcube Webmail, all releases prior to 1.5.14 and 1.6.14, including earlier 1.x versions, are affected. Upgrading to version 1.5.14, 1.6.14, or later releases such as 1.7-rc5 removes the flaw.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity. The EPSS score is below 1 % and the issue is not listed in the CISA KEV catalog, suggesting limited exploitation. The vulnerability is likely exploitable via a crafted e‑mail containing malicious CSS. Delivery of such an email to a user of the affected version is sufficient for an attacker to trigger the bypass; no privileged access or code execution beyond the email content is required.

Generated by OpenCVE AI on April 9, 2026 at 02:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Roundcube to version 1.5.14 or later (including 1.6.14 and 1.7‑rc5).
  • Verify that the update successfully replaces the vulnerable component by checking the webmail version.
  • If an immediate upgrade is not possible, implement a filter to strip or sanitize CSS from incoming e‑mail before it is rendered.

Generated by OpenCVE AI on April 9, 2026 at 02:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6196-1 roundcube security update
Github GHSA Github GHSA GHSA-xpqh-grpw-4xmg Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages
History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Fixed-Position Mitigation Bypass via CSS Injection in Roundcube Webmail

Thu, 09 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Fixed-Position Mitigation Bypass via CSS Injection in Roundcube Webmail
First Time appeared Roundcube
Roundcube webmail
Vendors & Products Roundcube
Roundcube webmail

Fri, 03 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.
Weaknesses CWE-669
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Roundcube Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T12:50:12.338Z

Reserved: 2026-04-03T03:59:48.463Z

Link: CVE-2026-35544

cve-icon Vulnrichment

Updated: 2026-04-03T12:50:09.218Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T05:16:22.810

Modified: 2026-04-09T01:09:00.530

Link: CVE-2026-35544

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:18Z

Weaknesses