{"id":"CVE-2026-35543","details":"An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.","aliases":["GHSA-j2g6-8rvg-7mf6"],"modified":"2026-07-15T01:49:21.497840988Z","published":"2026-04-03T03:57:06.528Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35543.json","cna_assigner":"mitre","cwe_ids":["CWE-669"]},"references":[{"type":"WEB","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.5.14"},{"type":"WEB","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.6.14"},{"type":"WEB","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5"},{"type":"WEB","url":"https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35543.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35543"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/commit/1a63e01542bff42aaa71c00c4c279a09ef31f20c"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/commit/39471343ee081ce1d31696c456a2c163462daae3"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/commit/82ab5eca7b332fce7a174b2b987f0957a66377cd"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/roundcube/roundcubemail","events":[{"introduced":"0"},{"fixed":"d742954ccbcdee7020f8f2e7c49ce0fca5a0efab"},{"introduced":"993b888afe29c383bf45c84f17090f4db96367ba"},{"fixed":"27ec6cc9cb25e1ef8b4d4ef39ce76d619caa6870"},{"fixed":"1a63e01542bff42aaa71c00c4c279a09ef31f20c"},{"fixed":"39471343ee081ce1d31696c456a2c163462daae3"},{"fixed":"82ab5eca7b332fce7a174b2b987f0957a66377cd"},{"fixed":"8e4a99b0746577c2928f5ae984b3ab533b970ca0"}],"database_specific":{"cpe":"cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"1.5.14"},{"introduced":"1.6.0"},{"fixed":"1.6.14"}],"source":["CPE_RANGE","REFERENCES"]}}],"versions":["1.7-rc4","1.5.13","1.6.13","1.7-rc3","1.7-rc2","1.5.12","1.6.12","1.7-rc","1.5.11","1.7-beta2","1.7-beta","1.5.10","1.6.11","1.6.10","1.5.9","1.6.9","1.5.8","1.6.8","1.5.7","1.6.7","1.6.6","1.5.6","1.6.5","1.5.5","1.6.4","1.6.3","1.5.4","1.6.2","1.6.1","1.5.3","1.6.0","1.6-beta","1.5.2","1.5.1","1.5.0","1.5-rc","1.5-beta","1.4-rc2","1.4-rc1","1.4-beta","1.3-beta","1.2-rc","1.2-beta","1.1.0","1.1-rc","1.1-beta","v0.1-beta2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35543.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}