CVE-2026-48848
Description
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 allow CSS injection via an SVG animate element with attributeName="style".
Vulnerability
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 contain a CSS injection vulnerability in the HTML sanitizer. The bug occurs when the sanitizer processes SVG documents containing an ` element with attributeName="style". The wash_attribs function previously only sanitized the style attribute directly, but did not handle the case where CSS could be injected via the values attribute of an element when attributeName is set to style. The fix (commits [1] and [2]) adds a check for values attributes when the parent node's attributename` matches the style pattern.
Exploitation
An attacker with the ability to send HTML email to a Roundcube user (no special authentication required) can craft a message containing malicious SVG content, such as ``. When the victim views this email in Roundcube, the sanitizer fails to block the CSS injection, allowing the attacker to inject arbitrary CSS styles into the page context.
Impact
Successful exploitation allows an attacker to inject arbitrary CSS styles into the victim's Roundcube session. This CSS injection can be used to exfiltrate sensitive data, modify the appearance of the webmail interface, or potentially aid in further attacks (e.g., phishing by overlaying fake input fields). Impact is limited to CSS manipulation; full JavaScript execution is not directly achieved, but CSS injection alone can lead to information disclosure and UI redressing.
Mitigation
Roundcube released fixed versions 1.6.16 (LTS) and 1.7.1 (stable) on 2026-05-25 [3][4]. Administrators should update all installations to these or later versions. No workaround is available; upgrading is mandatory to close the bypass. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) as of this writing.
- Fix CSS injection bypass in HTML sanitizer via SVG `<animate attribut… · roundcube/roundcubemail@c960d10
- Fix CSS injection bypass in HTML sanitizer via SVG `<animate attribut… · roundcube/roundcubemail@58e5263
- Release Roundcube Webmail 1.7.1 · roundcube/roundcubemail
- Release Roundcube Webmail 1.6.16 · roundcube/roundcubemail
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <1.6.16, <1.7.1
Patches
258e5263f341eFix CSS injection bypass in HTML sanitizer via SVG `<animate attributeName="style">`
3 files changed · +23 −4
CHANGELOG.md+1 −0 modified@@ -4,6 +4,7 @@ - Fix potential too long value in IMAP ID command (#10136) - Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog +- Security: Fix CSS injection bypass in HTML sanitizer via SVG `<animate attributeName="style">` ## Release 1.6.15
program/lib/Roundcube/rcube_washtml.php+10 −4 modified@@ -293,11 +293,17 @@ private function wash_attribs($node) $key = strtolower($name); $value = $attr->nodeValue; - if ($key == 'style' && ($style = $this->wash_style($value))) { - // replace double quotes to prevent syntax error and XSS issues (#1490227) - $result .= ' style="' . str_replace('"', '"', $style) . '"'; + if ($key == 'style' || ($key == 'values' && self::attribute_value($node, 'attributename', '/^style$/i'))) { + $style = ''; + if ($value === '' || ($style = $this->wash_style($value))) { + // replace double quotes to prevent syntax error and XSS issues (#1490227) + $result .= ' ' . $attr->nodeName . '="' . str_replace('"', '"', $style) . '"'; + } + else { + $washed[] = htmlspecialchars($attr->nodeName, \ENT_QUOTES, $this->config['charset']); + } } - else if (isset($this->_html_attribs[$key]) || in_array($key, $additional_attribs)) { + elseif (isset($this->_html_attribs[$key]) || in_array($key, $additional_attribs)) { $value = trim($value); $out = null;
tests/Framework/Washtml.php+12 −0 modified@@ -525,6 +525,18 @@ function data_wash_svg_tests() '<svg><animate attributeName="fill" values="url(http://external.site)" dur="1s" begin="0s" fill="freeze" /></svg>', '<svg><!-- animate blocked --></svg>', ], + [ + '<svg><rect><animate attributeName="style" values="filter:url(http://attacker.com)" dur="0s" fill="freeze"/></rect></svg>', + '<svg><rect><animate attributeName="style" dur="0s" fill="freeze" x-washed="values" /></rect></svg>', + ], + [ + '<svg><rect><animate attributeName="style" values="width:expression(alert(1))" dur="0s" fill="freeze"/></rect></svg>', + '<svg><rect><animate attributeName="style" dur="0s" fill="freeze" x-washed="values" /></rect></svg>', + ], + [ + '<svg><rect><animate attributeName="style" values="position:fixed;top:0;left:0" dur="0s" fill="freeze"/></rect></svg>', + '<svg><rect><animate attributeName="style" values="position: absolute; top: 0; left: 0" dur="0s" fill="freeze" /></rect></svg>', + ], ]; }
c960d102472dFix CSS injection bypass in HTML sanitizer via SVG `<animate attributeName="style">`
3 files changed · +21 −3
CHANGELOG.md+1 −0 modified@@ -15,6 +15,7 @@ This file includes only changes we consider noteworthy for users, admins and plu - Fix `assets_path` feature and remove dependency on `PATH_INFO` (#10185) - Fix MySQL upgrade on MySQL < 8.0 and MariaDB < 10.5.3 (#10188) - Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog +- Security: Fix CSS injection bypass in HTML sanitizer via SVG `<animate attributeName="style">` ## Release 1.7.0
program/lib/Roundcube/rcube_washtml.php+8 −3 modified@@ -291,9 +291,14 @@ private function wash_attribs($node) $key = strtolower($name); $value = $attr->nodeValue; - if ($key == 'style' && ($style = $this->wash_style($value))) { - // replace double quotes to prevent syntax error and XSS issues (#1490227) - $result .= ' style="' . str_replace('"', '"', $style) . '"'; + if ($key == 'style' || ($key == 'values' && self::attribute_value($node, 'attributename', '/^style$/i'))) { + $style = ''; + if ($value === '' || ($style = $this->wash_style($value))) { + // replace double quotes to prevent syntax error and XSS issues (#1490227) + $result .= ' ' . $attr->nodeName . '="' . str_replace('"', '"', $style) . '"'; + } else { + $washed[] = htmlspecialchars($attr->nodeName, \ENT_QUOTES, $this->config['charset']); + } } elseif (isset($this->_html_attribs[$key]) || in_array($key, $additional_attribs)) { $value = trim($value); $out = null;
tests/Framework/WashtmlTest.php+12 −0 modified@@ -542,6 +542,18 @@ public static function provide_wash_svg_tests_cases(): iterable '<svg><animate attributeName="fill" values="url(http://external.site)" dur="1s" begin="0s" fill="freeze" /></svg>', '<svg><!-- animate blocked --></svg>', ], + [ + '<svg><rect><animate attributeName="style" values="filter:url(http://attacker.com)" dur="0s" fill="freeze"/></rect></svg>', + '<svg><rect><animate attributeName="style" dur="0s" fill="freeze" x-washed="values" /></rect></svg>', + ], + [ + '<svg><rect><animate attributeName="style" values="width:expression(alert(1))" dur="0s" fill="freeze"/></rect></svg>', + '<svg><rect><animate attributeName="style" dur="0s" fill="freeze" x-washed="values" /></rect></svg>', + ], + [ + '<svg><rect><animate attributeName="style" values="position:fixed;top:0;left:0" dur="0s" fill="freeze"/></rect></svg>', + '<svg><rect><animate attributeName="style" values="position: absolute; top: 0; left: 0" dur="0s" fill="freeze" /></rect></svg>', + ], ]; }
Vulnerability mechanics
Root cause
"Missing sanitization of the `values` attribute on SVG `"
Attack vector
An attacker crafts an SVG document containing an `
Affected code
The vulnerability resides in the `wash_attribs` method of `program/lib/Roundcube/rcube_washtml.php` [patch_id=2473661][patch_id=2473662]. The sanitizer only checked the `style` attribute for CSS content, but did not inspect the `values` attribute on SVG `
What the fix does
The patch adds a condition to the `wash_attribs` method that checks whether the attribute name is `values` and the parent element's `attributename` attribute equals `style` (case-insensitive) [patch_id=2473661][patch_id=2473662]. When this condition is true, the `values` content is passed through the existing `wash_style()` sanitizer, which strips dangerous CSS constructs like `filter:url(...)`, `expression(...)`, and other potentially malicious values. If the style washing fails (returns empty), the attribute is removed entirely by adding it to the `$washed` array. The test cases confirm that malicious `values` content is either sanitized to safe CSS or replaced with an `x-washed` placeholder attribute [patch_id=2473661][patch_id=2473662].
Preconditions
- inputThe attacker must be able to send an HTML email or otherwise inject SVG content into Roundcube's HTML rendering pipeline
- configThe victim must view the crafted message in Roundcube Webmail with HTML rendering enabled
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/roundcube/roundcubemail/commit/58e5263f341e6a418774fb6d2643669a3c4d8a27mitre
- github.com/roundcube/roundcubemail/commit/c960d102472dc579e15907d5bcdc3103a090ccf9mitre
- github.com/roundcube/roundcubemail/releases/tag/1.6.16mitre
- github.com/roundcube/roundcubemail/releases/tag/1.7.1mitre
- roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1mitre
News mentions
0No linked articles in our index yet.