CVE-2026-48846
MEDIUM NVDCVSS Score
6.5
Severity
MEDIUM
Source
NVD
Published
May 25, 2026
Description
In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass.