Medium severity5.3NVD Advisory· Published Apr 3, 2026· Updated Apr 9, 2026

CVE-2026-35544

Description

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
roundcube/roundcubemailPackagist	>= 1.7-beta, < 1.7-rc5	1.7-rc5

Affected products

Roundcube/Webmail
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
Range: <=1.5.13

Patches

099009b9c8e1

Fix fixed position mitigation bypass via use of !important

https://github.com/roundcube/roundcubemailAleksander MachniakMar 18, 2026via ghsa

commit

3 files changed · +5 −1

CHANGELOG.md+1 −0 modified

@@ -8,6 +8,7 @@
 - Security: Fix IMAP Injection + CSRF bypass in mail search
 - Security: Fix remote image blocking bypass via various SVG animate attributes
 - Security: Fix remote image blocking bypass via a crafted body background attribute
+- Security: Fix fixed position mitigation bypass via use of !important
 
 ## Release 1.6.13

program/lib/Roundcube/rcube_utils.php+1 −1 modified

@@ -558,7 +558,7 @@ public static function sanitize_css_block($styles, $url_callback = null)
             if ($property == 'page') {
                 // Remove 'page' attributes (#7604)
                 continue;
-            } elseif ($property == 'position' && strcasecmp($value, 'fixed') === 0) {
+            } elseif ($property == 'position' && stripos($value, 'fixed') !== false) {
                 // Convert position:fixed to position:absolute (#5264)
                 $value = 'absolute';
             } elseif (preg_match('/expression|image-set/i', $value)) {

tests/Framework/Utils.php+3 −0 modified

@@ -280,6 +280,9 @@ function test_mod_css_styles_xss()
         $mod = \rcube_utils::mod_css_styles('.test { position: fixed; top: 0;', 'rcmbody');
         $this->assertSame('#rcmbody .test { position: absolute; top: 0; }', $mod, 'Replace position:fixed with position:absolute (6)');
 
+        $mod = \rcube_utils::mod_css_styles('.test { position: fixed !important; }', 'rcmbody');
+        $this->assertSame('#rcmbody .test { position: absolute; }', $mod, 'Replace position:fixed with position:absolute (7)');
+
         // allow data URIs with images (#5580)
         $mod = rcube_utils::mod_css_styles("body { background-image: url(data:image/png;base64,123); }", 'rcmbody');
         $this->assertStringContainsString("#rcmbody { background-image: url(data:image/png;base64,123);", $mod, "Data URIs in url() allowed [1]");

57dec0c127b9

Fix fixed position mitigation bypass via use of !important

https://github.com/roundcube/roundcubemailAleksander MachniakMar 18, 2026via ghsa

commit

3 files changed · +5 −1

CHANGELOG.md+1 −0 modified

@@ -7,6 +7,7 @@
 - Security: Fix IMAP Injection + CSRF bypass in mail search
 - Security: Fix remote image blocking bypass via various SVG animate attributes
 - Security: Fix remote image blocking bypass via a crafted body background attribute
+- Security: Fix fixed position mitigation bypass via use of !important
 
 ## Release 1.5.13

program/lib/Roundcube/rcube_utils.php+1 −1 modified

@@ -562,7 +562,7 @@ public static function sanitize_css_block($styles, $url_callback = null)
             if ($property == 'page') {
                 // Remove 'page' attributes (#7604)
                 continue;
-            } elseif ($property == 'position' && strcasecmp($value, 'fixed') === 0) {
+            } elseif ($property == 'position' && stripos($value, 'fixed') !== false) {
                 // Convert position:fixed to position:absolute (#5264)
                 $value = 'absolute';
             } elseif (preg_match('/expression|image-set/i', $value)) {

tests/Framework/Utils.php+3 −0 modified

@@ -280,6 +280,9 @@ function test_mod_css_styles_xss()
         $mod = \rcube_utils::mod_css_styles('.test { position: fixed; top: 0;', 'rcmbody');
         $this->assertSame('#rcmbody .test { position: absolute; top: 0; }', $mod, 'Replace position:fixed with position:absolute (6)');
 
+        $mod = \rcube_utils::mod_css_styles('.test { position: fixed !important; }', 'rcmbody');
+        $this->assertSame('#rcmbody .test { position: absolute; }', $mod, 'Replace position:fixed with position:absolute (7)');
+
         // allow data URIs with images (#5580)
         $mod = rcube_utils::mod_css_styles("body { background-image: url(data:image/png;base64,123); }", 'rcmbody');
         $this->assertContains("#rcmbody { background-image: url(data:image/png;base64,123);", $mod, "Data URIs in url() allowed [1]");

226811a1c974

Fix fixed position mitigation bypass via use of !important

https://github.com/roundcube/roundcubemailAleksander MachniakMar 18, 2026via ghsa

commit

3 files changed · +5 −1

CHANGELOG.md+1 −0 modified

@@ -14,6 +14,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
 - Security: Fix IMAP Injection + CSRF bypass in mail search
 - Security: Fix remote image blocking bypass via various SVG animate attributes
 - Security: Fix remote image blocking bypass via a crafted body background attribute
+- Security: Fix fixed position mitigation bypass via use of !important
 
 ## 1.7-rc4

program/lib/Roundcube/rcube_utils.php+1 −1 modified

@@ -552,7 +552,7 @@ public static function sanitize_css_block($styles, $url_callback = null)
             if ($property == 'page') {
                 // Remove 'page' attributes (#7604)
                 continue;
-            } elseif ($property == 'position' && strcasecmp($value, 'fixed') === 0) {
+            } elseif ($property == 'position' && stripos($value, 'fixed') !== false) {
                 // Convert position:fixed to position:absolute (#5264)
                 $value = 'absolute';
             } elseif (preg_match('/expression|image-set/i', $value)) {

tests/Framework/UtilsTest.php+3 −0 modified

@@ -341,6 +341,9 @@ public function test_mod_css_styles_xss()
         $mod = \rcube_utils::mod_css_styles('.test { position: fixed; top: 0;', 'rcmbody');
         $this->assertSame('#rcmbody .test { position: absolute; top: 0; }', $mod, 'Replace position:fixed with position:absolute (6)');
 
+        $mod = \rcube_utils::mod_css_styles('.test { position: fixed !important; }', 'rcmbody');
+        $this->assertSame('#rcmbody .test { position: absolute; }', $mod, 'Replace position:fixed with position:absolute (7)');
+
         // allow data URIs with images (#5580)
         $mod = \rcube_utils::mod_css_styles('body { background-image: url(data:image/png;base64,123); }', 'rcmbody');
         $this->assertStringContainsString('#rcmbody { background-image: url(data:image/png;base64,123);', $mod, 'Data URIs in url() allowed [1]');

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/roundcube/roundcubemail/commit/099009b9c8e1d3c636fb9a5af72f7c2596018662nvdPatchWEB
github.com/roundcube/roundcubemail/commit/226811a1c974271dbedca72672923abaff8191c0nvdPatchWEB
github.com/roundcube/roundcubemail/commit/57dec0c127b98e0c8e3b9c26c80049b9c4bcaea7nvdPatchWEB
github.com/advisories/GHSA-xpqh-grpw-4xmgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-35544ghsaADVISORY
roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14nvdVendor AdvisoryWEB
github.com/roundcube/roundcubemail/releases/tag/1.5.14nvdRelease NotesWEB
github.com/roundcube/roundcubemail/releases/tag/1.6.14nvdRelease NotesWEB
github.com/roundcube/roundcubemail/releases/tag/1.7-rc5nvdRelease NotesWEB

News mentions

Why Malwarebytes blocks some Yahoo Mail redirects
Malwarebytes Labs · May 14, 2026

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000