CVE-2026-9818

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

4.7 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N                                    

Vulnerability Description

Roundcube's HTML sanitization path for message rendering allows loopback, localhost, RFC1918, link-local, and ULA URLs even when remote content loading is disabled. A remote attacker can send an HTML email that causes the victim's browser to issue requests to local or private-network services simply by opening the message preview.

Vulnerability Details

Published Date

May 28, 2026

Last Modified

May 28, 2026

CWE ID

CWE-184

Source

NVD

External References

https://advisories.orangecyberdefense.com/advisories/163
https://github.com/roundcube/roundcubemail/commit/7b52353653a67e6073b97d70eb94047132b78556
https://github.com/roundcube/roundcubemail/commit/faf867432f51ebbe100382a70a9e3c042415ee1b
https://github.com/roundcube/roundcubemail/releases/tag/1.6.16
https://github.com/roundcube/roundcubemail/releases/tag/1.7.1

CVE-2026-9818

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment