#VU124140 Improper encoding or escaping of output in Roundcube Webmail
Published: March 19, 2026 / Updated: March 19, 2026
Vulnerability identifier: #VU124140
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-116
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Roundcube Webmail
Roundcube Webmail
Software vendor:
Roundcube
Roundcube
Description
The vulnerability allows a remote attacker to bypass remote image blocking via a crafted body background attribute.
The vulnerability exists due to improper output neutralization in HTML rendering engine when processing email body background attributes. A remote attacker can send a specially crafted HTML email with a malicious background attribute to load remote images despite blocking settings.
This bypass undermines privacy protections and enables potential user tracking through external resource loading.
Remediation
Install security update from vendor's website.