Server-side request forgery (SSRF) in Roundcube Webmail - #VU124143
Published: March 19, 2026 / Updated: March 19, 2026
Vulnerability identifier: #VU124143
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Roundcube
Affected software:
Roundcube Webmail
Roundcube Webmail
Detailed vulnerability description
The vulnerability allows a remote attacker to perform Server-side request forgery and disclose internal network information.
The vulnerability exists due to improper input validation in stylesheet handling component when processing external stylesheet links. A remote attacker can send a specially crafted email containing a stylesheet link to a local network host to force the server to make internal network requests and disclose responses.
This can be exploited to scan and interact with services on the internal network, leading to information disclosure and potential further exploitation.
Remediation
Install security update from vendor's website.