ALT-PU-2026-6001-2

Package update roundcube in branch sisyphus

Version1.6.15-alt1

Published2026-05-07

Max severityHIGH

Severity:

Closed issues (3)

HIGH8.2

Уязвимость функции удаленной блокировки изображений почтового клиента RoundCube Webmail, позволяющая нарушителю раскрыть защищаемую информацию и обойти существующие ограничения безопасности

Published: 2026-05-06

CVSS 3.xHIGH 8.2

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CVSS 2.0HIGH 8.5

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:P/A:N

References

CVE-2026-35545

HIGH8.2

An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.

Published: 2026-04-03Modified: 2026-04-07

CVSS 3.xHIGH 8.2

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References

GHSA-w846-74jr-76cv

MEDIUM5.3

Roundcube Webmail: Remote image blocking feature can be bypassed via SVG content in an e-mail message

Published: 2026-04-03Modified: 2026-04-04

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References