Roundcube Webmail’s HTML sanitization incorrectly permits loopback, localhost, RFC1918, link‑local, and ULA URLs even when remote content loading is disabled. A remote attacker can send a crafted HTML email that, when the recipient opens the preview, causes the victim’s browser to request services on private or local networks. This behavior can lead to information disclosure and internal network discovery, and could enable unintended actions on local services by exploiting the outbound request capability. The weakness stems from improper validation of outbound URLs (CWE‑184).

All installations of Roundcube Webmail older than version 1.6.16 or 1.7.1 are affected. The vendor recommends upgrading to Roundcube 1.6.16 or 1.7.1 to remove the flaw.

The CVSS score of 4.7 indicates a moderate risk. No EPSS score is available and the vulnerability is not listed in CISA KEV. Exploitation requires only that a victim opens a maliciously crafted email; no privileged server access or code execution is necessary. The attacker can induce outbound requests to private or local addresses, which can aid reconnaissance or trigger internal services, making the attack feasible in typical user scenarios. The likely attack vector is the victim opening the preview of the affected email. Given its moderate severity and the lack of a widespread public exploit, the overall risk is considered moderate but non‑negligible for environments with sensitive internal services.