Primary

Context

Roundcube Webmail Remote Image Blocking Bypass Vulnerability via Crafted CSS Variable

Vulnerability

Patched

A vulnerability exists in Roundcube Webmail versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1, allowing the remote image blocking feature to be bypassed. This is achieved by using a specially crafted CSS var() value in an email message, which could lead to information disclosure or an access control bypass.

Impact

Exploitation of this vulnerability can result in a bypass of the remote image blocking feature, potentially allowing for unauthorized access to blocked images or information.

Reproduction

The vulnerability can be reproduced by sending an email that includes a CSS style with a var() function referencing a URL. When the email is received and the CSS is processed, the image blocking is bypassed, and the referenced image is loaded, despite the remote image blocking feature being enabled.

Remediation

Users are advised to update to Roundcube Webmail versions 1.6.16 or 1.7.1.

Added: May 26, 2026, 6:41 PM

Updated: May 26, 2026, 6:41 PM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

1.3

exploitability

7.6

remediation

7.7

relevance

9.4

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

1.3

exploitability

7.6

remediation

7.7

relevance

9.4

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Roundcube Webmail Remote Image Blocking Bypass Vulnerability via Crafted CSS Variable

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Roundcube Webmail

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating