#VU124143 Server-side request forgery (SSRF) in Roundcube Webmail
Published: March 19, 2026 / Updated: March 19, 2026
Vulnerability identifier: #VU124143
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Roundcube Webmail
Roundcube Webmail
Software vendor:
Roundcube
Roundcube
Description
The vulnerability allows a remote attacker to perform Server-side request forgery and disclose internal network information.
The vulnerability exists due to improper input validation in stylesheet handling component when processing external stylesheet links. A remote attacker can send a specially crafted email containing a stylesheet link to a local network host to force the server to make internal network requests and disclose responses.
This can be exploited to scan and interact with services on the internal network, leading to information disclosure and potential further exploitation.
Remediation
Install security update from vendor's website.