{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35545", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-03T04:02:06.302Z", "datePublished": "2026-04-03T04:02:06.765Z", "dateUpdated": "2026-04-03T04:14:03.451Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Webmail", "vendor": "Roundcube", "versions": [{"lessThan": "1.5.15", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "1.6.15", "status": "affected", "version": "1.6.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-669", "description": "CWE-669 Incorrect Resource Transfer Between Spheres", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-03T04:14:03.451Z"}, "references": [{"url": "https://roundcube.net/news/2026/03/29/security-updates-1.7-rc6-1.6.15-1.5.15"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc6"}, {"url": "https://github.com/roundcube/roundcubemail/commit/7ad62de184368bf42c0f522d1aacc030f5ddcc46"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.15"}, {"url": "https://github.com/roundcube/roundcubemail/commit/9d18d524f3cc211003fc99e2e54eed09a2f3da88"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.15"}, {"url": "https://github.com/roundcube/roundcubemail/commit/fe1320b199d3a2f58351bb699c9ed4316e73221b"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.5.15"}, {"vulnerable": true, "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.6.0", "versionEndExcluding": "1.6.15"}]}]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke."}], "id": "CVE-2026-35545", "lastModified": "2026-04-03T05:16:22.980", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-03T05:16:22.980", "references": [{"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/commit/7ad62de184368bf42c0f522d1aacc030f5ddcc46"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/commit/9d18d524f3cc211003fc99e2e54eed09a2f3da88"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/commit/fe1320b199d3a2f58351bb699c9ed4316e73221b"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.15"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.15"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc6"}, {"source": "cve@mitre.org", "url": "https://roundcube.net/news/2026/03/29/security-updates-1.7-rc6-1.6.15-1.5.15"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-669"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.15)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.6.0,1.6.15)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "webmail", "vendor": "roundcube"}], "analysis": {"en": {"generated_at": "2026-04-03T07:21:52.197328+00:00", "value": {"mitigation_remediation": ["Upgrade Roundcube Webmail to version 1.5.15, 1.6.15, or later releases such as 1.7\u2011rc6, which have the image blocking bug fixed.", "Verify that the remote image blocking setting remains enabled in the configuration.", "Monitor Roundcube release notes and security advisories for any future patches or additional workarounds."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of Roundcube Webmail prior to versions 1.5.15 and 1.6.15, including the 1.7\u2011rc6 release line. Users running these versions should review the vendor\u2019s advisory for update instructions.", "description_and_impact": "The identified issue allows a remote attacker to bypass Roundcube Webmail\u2019s image blocking feature by embedding an SVG file in an email. The SVG uses an animate element whose attributeName can be set to fill, filter, or stroke, which the server mistakenly interprets as a remote image reference. This unintended processing exposes sensitive content or permits an attacker to circumvent access controls, resulting in information disclosure.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. No EPSS data is available and the issue is not currently listed in the CISA KEV catalogue. Exploitation requires delivery of a crafted email containing SVG content, which can be achieved through normal email traffic, making the risk realistic for exposed or open mail servers. Although no publicly known exploits exist yet, the moderate score and lack of mitigation options suggest the vulnerability is actionable."}}}}, "created": "2026-04-03T07:31:02.583598+00:00", "title": "SVG Bypass of Remote Image Blocking in Roundcube Webmail", "updated": "2026-04-03T09:15:49.106429+00:00", "vendors": ["roundcube", "roundcube$PRODUCT$webmail"]}