Roundcube Webmail 1.6.x versions between 1.6.14 and 1.6.16 and 1.7.x versions prior to 1.7.1 lack proper sanitization of Cascading Style Sheets (CSS) within incoming HTML e‑mail messages. The vulnerability allows an attacker to embed stylesheet links that point to internal network hosts or other resources, which can result in SSRF conditions or the accidental disclosure of sensitive information through the webmail interface. The weakness stems from an incomplete fix of a prior issue, CVE‑2026‑35540, and is classified under CWE‑918. The flaw is exploitable when a user opens a maliciously crafted e‑mail that contains the offending CSS link. Once parsed, the Roundcube client may request the specified host, allowing the attacker to gain unauthorized network access or to retrieve data not intended for the user.

All installations of Roundcube Webmail that are running versions 1.6.14 through 1.6.16 inclusive or versions 1.7.x earlier than 1.7.1 are vulnerable. These versions are listed under the vendor Roundcube and the common product name Webmail. Customers operating these releases should consider them at risk until they apply the available updates.

The CVSS base score of 7.2 indicates a medium‑to‑high level of risk, with potential for both confidentiality and integrity compromise. The EPSS score is not available, so the probability of exploitation cannot be quantified at this time, but the vulnerability is not featured in CISA’s KEV catalog. The attack vector is likely achieved by sending or receiving a crafted e‑mail that includes a CSS link pointing at an internal host; this requires user interaction (opening the e‑mail) and sufficient privileges of the Roundcube process to perform outbound HTTP requests. Although the exploit paths are limited by user action, the impact of successful SSRF or information disclosure could be significant for internal network reconnaissance or data leakage.