{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35543", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-03T03:57:05.990Z", "datePublished": "2026-04-03T03:57:06.528Z", "dateUpdated": "2026-04-03T12:50:54.031Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Webmail", "vendor": "Roundcube", "versions": [{"lessThan": "1.5.14", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "1.6.14", "status": "affected", "version": "1.6.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-669", "description": "CWE-669 Incorrect Resource Transfer Between Spheres", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-03T03:57:06.528Z"}, "references": [{"url": "https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5"}, {"url": "https://github.com/roundcube/roundcubemail/commit/82ab5eca7b332fce7a174b2b987f0957a66377cd"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.14"}, {"url": "https://github.com/roundcube/roundcubemail/commit/39471343ee081ce1d31696c456a2c163462daae3"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.14"}, {"url": "https://github.com/roundcube/roundcubemail/commit/1a63e01542bff42aaa71c00c4c279a09ef31f20c"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T12:50:45.786052Z", "id": "CVE-2026-35543", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T12:50:54.031Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass."}], "id": "CVE-2026-35543", "lastModified": "2026-04-03T05:16:22.637", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-03T05:16:22.637", "references": [{"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/commit/1a63e01542bff42aaa71c00c4c279a09ef31f20c"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/commit/39471343ee081ce1d31696c456a2c163462daae3"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/commit/82ab5eca7b332fce7a174b2b987f0957a66377cd"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.14"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.14"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5"}, {"source": "cve@mitre.org", "url": "https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-669"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.14)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.6.0,1.6.14)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Webmail", "source": "cna", "vendor": "Roundcube"}, "product": "webmail", "vendor": "roundcube"}], "analysis": {"en": {"generated_at": "2026-04-03T07:52:12.246589+00:00", "value": {"mitigation_remediation": ["Upgrade Roundcube Webmail to version 1.5.14, 1.6.14, or 1.7\u2011rc5 to remove the SVG processing flaw"], "summary": {"action": "Apply patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "All installations of Roundcube Webmail running a version earlier than 1.5.14 or 1.6.14 are vulnerable. The issue covers the 1.5.x and 1.6.x series, as well as the 1.7\u2011rc5 release prior to its update.", "description_and_impact": "Roundcube Webmail implements a feature that blocks automatic loading of external images in e\u2011mails to protect user privacy. A flaw allows an attacker to embed an SVG file that includes animate attributes in an e\u2011mail. When the e\u2011mail is viewed, the SVG bypasses the blocking logic and triggers the client to fetch the referenced image, revealing the existence of the mailbox or exposing sensitive message details. The weakness aligns with improper handling of SVG data, classified as CWE\u2011669.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. No EPSS data is reported, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation. The likely attack vector is a crafted e\u2011mail containing the malicious SVG sent to a user; upon opening the message, the client retrieves the remote image. This straightforward exploitation path means any environment where Roundcube is used as the webmail interface could expose users to information disclosure if they receive such messages."}}}}, "created": "2026-04-03T07:31:04.635598+00:00", "title": "SVG Remote Image Blocking Bypass in Roundcube Webmail", "updated": "2026-04-03T09:15:51.095774+00:00", "vendors": ["roundcube", "roundcube$PRODUCT$webmail"]}