Improper encoding or escaping of output in Roundcube Webmail - #VU124140
Published: March 19, 2026 / Updated: March 19, 2026
Vulnerability identifier: #VU124140
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-116
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Roundcube
Affected software:
Roundcube Webmail
Roundcube Webmail
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass remote image blocking via a crafted body background attribute.
The vulnerability exists due to improper output neutralization in HTML rendering engine when processing email body background attributes. A remote attacker can send a specially crafted HTML email with a malicious background attribute to load remote images despite blocking settings.
This bypass undermines privacy protections and enables potential user tracking through external resource loading.
Remediation
Install security update from vendor's website.