CVE-2026-35545
Published: 03 April 2026
Summary
CVE-2026-35545 is a medium-severity Incorrect Resource Transfer Between Spheres (CWE-669) vulnerability in Roundcube Webmail. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of flaws like CVE-2026-35545 through patching Roundcube Webmail to versions 1.5.15 or 1.6.15.
Filters information output such as email content before rendering to block or sanitize malicious SVG elements that bypass remote image blocking.
Validates incoming email inputs to detect and reject specially crafted SVG content exploiting the image blocking bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote exploitation of the Roundcube webmail application via crafted emails containing malicious SVG to bypass image blocking, directly mapping to T1190 (Exploit Public-Facing Application) and facilitating T1566 (Phishing) by enabling delivery of content that circumvents security controls.
NVD Description
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element…
more
with attributeName=fill/filter/stroke.
Deeper analysisAI
CVE-2026-35545 is a vulnerability in Roundcube Webmail versions prior to 1.5.15 and 1.6.15 that allows bypassing the remote image blocking feature through SVG content embedded in an email message. Specifically, the issue involves the SVG animate element using attributes such as attributeName=fill, filter, or stroke, which circumvents the intended blocking mechanism. This flaw is classified under CWE-669 (Incorrect Resource Transfer Between Spheres or Security Domains) and carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N), indicating medium severity with low integrity impact.
The vulnerability can be exploited remotely by unauthenticated attackers with network access, requiring low complexity and no user interaction. An attacker could send a specially crafted email containing malicious SVG content to a Roundcube user, bypassing image blocking to potentially disclose sensitive information or bypass access controls, such as loading external resources that reveal user data or enable further attacks.
Mitigation is addressed in Roundcube Webmail releases 1.5.15 and 1.6.15, with corresponding fixes in GitHub commits 7ad62de184368bf42c0f522d1aacc030f5ddcc46, 9d18d524f3cc211003fc99e2e54eed09a2f3da88, and fe1320b199d3a2f58351bb699c9ed4316e73221b. Security practitioners should update affected installations to these patched versions to prevent exploitation.
Details
- CWE(s)