SB2026031948 - Multiple vulnerabilities in Roundcube Webmail
Published: March 19, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 secuirty vulnerabilities.
1) Deserialization of Untrusted Data (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code or write arbitrary files.
The vulnerability exists due to unsafe deserialization in redis/memcache session handler when processing session data. A remote attacker can send a specially crafted session payload to execute arbitrary code or write arbitrary files.
No authentication is required to exploit this vulnerability.
2) Missing authentication for critical function (CVE-ID: N/A)
The vulnerability allows a remote user to escalate privileges by changing another user's password without providing the old password.
The vulnerability exists due to improper authentication in password change functionality when handling password update requests. A remote user can submit a specially crafted request to change a password without providing the old password, leading to unauthorized account modification.
Authentication is required to access the password change interface, but no old password verification is performed.
3) CRLF injection (CVE-ID: N/A)
The vulnerability allows a remote user to perform IMAP command injection and bypass CSRF protections.
The vulnerability exists due to improper input validation in mail search functionality when handling search queries. A remote user can send a specially crafted search request containing malicious IMAP commands to execute arbitrary commands on the IMAP server and bypass CSRF restrictions.
4) Improper encoding or escaping of output (CVE-ID: N/A)
The vulnerability allows a remote attacker to bypass remote image blocking by exploiting various SVG animate attributes.
The vulnerability exists due to improper output neutralization in HTML rendering engine when parsing SVG content with animate attributes. A remote attacker can send a specially crafted HTML email containing malicious SVG elements to load remote images despite blocking settings.
This issue affects the remote image protection mechanism and could lead to tracking and disclosure of user information.
5) Improper encoding or escaping of output (CVE-ID: N/A)
The vulnerability allows a remote attacker to bypass remote image blocking via a crafted body background attribute.
The vulnerability exists due to improper output neutralization in HTML rendering engine when processing email body background attributes. A remote attacker can send a specially crafted HTML email with a malicious background attribute to load remote images despite blocking settings.
This bypass undermines privacy protections and enables potential user tracking through external resource loading.
6) Improper Encoding or Escaping of Output (CVE-ID: N/A)
The vulnerability allows a remote attacker to bypass fixed position CSS mitigation by using !important declarations.
The vulnerability exists due to improper output neutralization in CSS filtering mechanism when processing HTML email content. A remote attacker can send a specially crafted email containing styles with "!important" declarations to override fixed position restrictions.
This can be exploited to manipulate email display and potentially enable phishing or UI spoofing attacks.
7) Stored cross-site scripting (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary JavaScript via a malicious HTML attachment preview.
The vulnerability exists due to improper input validation in HTML attachment preview component when rendering HTML attachments. A remote attacker can send a specially crafted HTML file as an attachment which, when previewed, executes arbitrary scripts in the context of the user's session.
User interaction is required to trigger the preview, but no additional authentication or privileges are needed once the attachment is opened.
8) Server-side request forgery (SSRF) (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform Server-side request forgery and disclose internal network information.
The vulnerability exists due to improper input validation in stylesheet handling component when processing external stylesheet links. A remote attacker can send a specially crafted email containing a stylesheet link to a local network host to force the server to make internal network requests and disclose responses.
This can be exploited to scan and interact with services on the internal network, leading to information disclosure and potential further exploitation.
Remediation
Install update from vendor's website.