Cyber Resilience

CVE-2026-35545

Medium

Published: 03 April 2026

Published
03 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0033 24.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-35545 is a medium-severity Incorrect Resource Transfer Between Spheres (CWE-669) vulnerability in Roundcube Webmail. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-35545 is a vulnerability in Roundcube Webmail versions prior to 1.5.15 and 1.6.15 that allows bypassing the remote image blocking feature through SVG content embedded in an email message. Specifically, the issue involves the SVG animate element using attributes such as attributeName=fill, filter, or stroke, which circumvents the intended blocking mechanism. This flaw is classified under CWE-669 (Incorrect Resource Transfer Between Spheres or Security Domains) and carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N), indicating medium severity with low integrity impact.

The vulnerability can be exploited remotely by unauthenticated attackers with network access, requiring low complexity and no user interaction. An attacker could send a specially crafted email containing malicious SVG content to a Roundcube user, bypassing image blocking to potentially disclose sensitive information or bypass access controls, such as loading external resources that reveal user data or enable further attacks.

Mitigation is addressed in Roundcube Webmail releases 1.5.15 and 1.6.15, with corresponding fixes in GitHub commits 7ad62de184368bf42c0f522d1aacc030f5ddcc46, 9d18d524f3cc211003fc99e2e54eed09a2f3da88, and fe1320b199d3a2f58351bb699c9ed4316e73221b. Security practitioners should update affected installations to these patched versions to prevent exploitation.

EU & UK References

Vulnerability details

An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element…

more

with attributeName=fill/filter/stroke.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1566 Phishing Initial Access
Adversaries may send phishing messages to gain access to victim systems.
Why these techniques?

The vulnerability allows remote exploitation of the Roundcube webmail application via crafted emails containing malicious SVG to bypass image blocking, directly mapping to T1190 (Exploit Public-Facing Application) and facilitating T1566 (Phishing) by enabling delivery of content that circumvents security controls.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-68461Same product: Roundcube Webmail
CVE-2026-35537Same product: Roundcube Webmail
CVE-2023-5631Same product: Roundcube Webmail
CVE-2025-25064Same product class: email / collaboration
CVE-2025-68645Same product class: email / collaboration
CVE-2026-27851Same product class: email / collaboration
CVE-2026-42897Same product class: email / collaboration
CVE-2025-66376Same product class: email / collaboration
CVE-2021-34473Same product class: email / collaboration
CVE-2026-27858Same product class: email / collaboration

Affected Assets

roundcube
webmail
≤ 1.5.15 · 1.6.0 — 1.6.15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of flaws like CVE-2026-35545 through patching Roundcube Webmail to versions 1.5.15 or 1.6.15.

prevent

Filters information output such as email content before rendering to block or sanitize malicious SVG elements that bypass remote image blocking.

prevent

Validates incoming email inputs to detect and reject specially crafted SVG content exploiting the image blocking bypass.

References