{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35544", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-03T03:59:48.463Z", "datePublished": "2026-04-03T03:59:49.053Z", "dateUpdated": "2026-04-03T12:50:12.338Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Webmail", "vendor": "Roundcube", "versions": [{"lessThan": "1.5.14", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "1.6.14", "status": "affected", "version": "1.6.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-669", "description": "CWE-669 Incorrect Resource Transfer Between Spheres", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-03T03:59:49.053Z"}, "references": [{"url": "https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5"}, {"url": "https://github.com/roundcube/roundcubemail/commit/226811a1c974271dbedca72672923abaff8191c0"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.14"}, {"url": "https://github.com/roundcube/roundcubemail/commit/099009b9c8e1d3c636fb9a5af72f7c2596018662"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.14"}, {"url": "https://github.com/roundcube/roundcubemail/commit/57dec0c127b98e0c8e3b9c26c80049b9c4bcaea7"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T12:50:06.228941Z", "id": "CVE-2026-35544", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T12:50:12.338Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35544", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T12:50:06.228941Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T12:50:09.218Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Roundcube", "product": "Webmail", "versions": [{"status": "affected", "version": "0", "lessThan": "1.5.14", "versionType": "semver"}, {"status": "affected", "version": "1.6.0", "lessThan": "1.6.14", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5"}, {"url": "https://github.com/roundcube/roundcubemail/commit/226811a1c974271dbedca72672923abaff8191c0"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.14"}, {"url": "https://github.com/roundcube/roundcubemail/commit/099009b9c8e1d3c636fb9a5af72f7c2596018662"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.14"}, {"url": "https://github.com/roundcube/roundcubemail/commit/57dec0c127b98e0c8e3b9c26c80049b9c4bcaea7"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-669", "description": "CWE-669 Incorrect Resource Transfer Between Spheres"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-03T03:59:49.053Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35544", "state": "PUBLISHED", "dateUpdated": "2026-04-03T12:50:12.338Z", "dateReserved": "2026-04-03T03:59:48.463Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-03T03:59:49.053Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "matchCriteriaId": "8D54F615-2408-47CF-866C-93A7041665CD", "versionEndIncluding": "1.5.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "matchCriteriaId": "36D1025D-5F8E-405B-8788-0F8FEE30B3C9", "versionEndIncluding": "1.6.13", "versionStartIncluding": "1.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important."}], "id": "CVE-2026-35544", "lastModified": "2026-04-09T01:09:00.530", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-03T05:16:22.810", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/roundcube/roundcubemail/commit/099009b9c8e1d3c636fb9a5af72f7c2596018662"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/roundcube/roundcubemail/commit/226811a1c974271dbedca72672923abaff8191c0"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/roundcube/roundcubemail/commit/57dec0c127b98e0c8e3b9c26c80049b9c4bcaea7"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.14"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.14"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-669"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.14)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.6.0,1.6.14)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Webmail", "source": "cna", "vendor": "Roundcube"}, "product": "webmail", "vendor": "roundcube"}], "analysis": {"en": {"generated_at": "2026-04-09T02:51:02.719308+00:00", "value": {"mitigation_remediation": ["Upgrade Roundcube to version 1.5.14 or later (including 1.6.14 and 1.7\u2011rc5).", "Verify that the update successfully replaces the vulnerable component by checking the webmail version.", "If an immediate upgrade is not possible, implement a filter to strip or sanitize CSS from incoming e\u2011mail before it is rendered."], "summary": {"action": "Immediate Patch", "impact": "CSS injection bypasses fixed-position safeguards, potentially exposing hidden UI elements."}, "threat_synthesis": {"affected_systems": "Roundcube Webmail, all releases prior to 1.5.14 and 1.6.14, including earlier 1.x versions, are affected. Upgrading to version 1.5.14, 1.6.14, or later releases such as 1.7-rc5 removes the flaw.", "description_and_impact": "Insufficient CSS sanitization in Roundcube Webmail allows an attacker to inject CSS rules that utilize the !important directive to override elements positioned with fixed positioning. This can bypass the intended fixed-position mitigation and cause hidden or protected UI components to become visible. Based on the description, the vulnerability may expose content that is otherwise hidden, though the exact extent depends on the email layout.", "risk_and_exploitability": "The CVSS base score of 5.3 indicates moderate severity. The EPSS score is below 1\u202f% and the issue is not listed in the CISA KEV catalog, suggesting limited exploitation. The vulnerability is likely exploitable via a crafted e\u2011mail containing malicious CSS. Delivery of such an email to a user of the affected version is sufficient for an attacker to trigger the bypass; no privileged access or code execution beyond the email content is required."}}}}, "created": "2026-04-03T07:31:03.615249+00:00", "updated": "2026-04-09T08:29:18.909728+00:00", "vendors": ["roundcube", "roundcube$PRODUCT$webmail"]}