Zero Day MonitorZDM

← Back to list

5.3

CVE-2026-35543PATCHED

roundcube · webmail

CVE-2026-35543: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed

Description

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.

Affected Products

Vendor	Product	Versions
roundcube	webmail	composer/roundcube/roundcubemail: >= 1.7-beta, < 1.7-rc5

References

Related News (1 articles)

Tier C

VulDB2d ago

CVE-2026-35543 | Roundcube Webmail up to 1.5.13/1.6.13 SVG Content resource transfer

→ No new info (linked only)

CVSS 3.15.3 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

roundcube/roundcubemail@1.7-rc5

CWECWE-669

PublishedApr 3, 2026

Last enriched2d agov2

Tags

problematic

Trending Score23

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-35544EXP

CVE-2026-35544: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitiz

MEDIUMCVE-2026-35542EXP

CVE-2026-35542: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed

MEDIUMCVE-2026-35540EXP

CVE-2026-35540: An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization

MEDIUMCVE-2026-35545

CVE-2026-35545: An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed

MEDIUMCVE-2026-35541

CVE-2026-35541: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plu

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 3, 2026

Discovered by ZDM

Apr 3, 2026

Updated: affectedVersions, severity, tags

Apr 3, 2026

Patch Available

Apr 3, 2026

Version History

v2

Last enriched 2d ago

v2Tier C2d ago

Updated affected versions to include 1.5.13 and 1.6.13, changed severity to HIGH, and noted that no exploit is available.

affectedVersionsseveritytags

via VulDB

v12d ago

Initial creation