Description

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.

Remediation

References

CVE-2026-35543

Related Vulnerabilities

axios Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') Vulnerability (CVE-2026-42035)

WordPress Plugin Anti-Malware Security and Brute-Force Firewall Cross-Site Scripting (1.2.05.20)

GeoServer Server-Side Request Forgery (SSRF) Vulnerability (CVE-2024-40625)

WordPress Plugin FireStorm Professional Real Estate Multiple SQL Injection Vulnerabilities (2.05.01)

XOOPS URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2017-12138)

Severity

Medium

Classification

CVE-2026-35543 CWE-669 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities