{"id":"DEBIAN-CVE-2026-48845","details":"In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message.","modified":"2026-05-26T09:00:09.992708742Z","published":"2026-05-25T20:16:37.027Z","upstream":["CVE-2026-48845"],"references":[{"type":"ADVISORY","url":"https://security-tracker.debian.org/tracker/CVE-2026-48845"}],"affected":[{"package":{"name":"roundcube","ecosystem":"Debian:11","purl":"pkg:deb/debian/roundcube?arch=source&distro=bullseye"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.4.11+dfsg.1-4","1.4.12+dfsg.1-1~bpo10+1","1.4.12+dfsg.1-1~deb11u1","1.4.13+dfsg.1-1~deb11u1","1.4.13+dfsg.1-1~deb11u1~bpo10+1","1.4.14+dfsg.1-1~deb11u1","1.4.14+dfsg.1-1~deb11u1~bpo10+1","1.4.15+dfsg.1-1+deb11u3","1.4.15+dfsg.1-1+deb11u4","1.4.15+dfsg.1-1+deb11u5","1.4.15+dfsg.1-1+deb11u6","1.4.15+dfsg.1-1+deb11u7","1.4.15+dfsg.1-1+deb11u8","1.4.15+dfsg.1-1~deb11u1","1.4.15+dfsg.1-1~deb11u1~bpo10+1","1.4.15+dfsg.1-1~deb11u2","1.4.15+dfsg.1-1~deb11u2~bpo10+1","1.5.0+dfsg.1-1","1.5.0+dfsg.1-2","1.5.1+dfsg-1","1.5~beta+dfsg.1-1","1.5~beta+dfsg.1-2","1.5~beta+dfsg.1-3","1.5~beta+dfsg.1-4","1.5~rc+dfsg.1-1","1.5~rc+dfsg.1-2","1.5~rc+dfsg.1-3","1.6.0+dfsg-1","1.6.0+dfsg-1.1","1.6.0+dfsg-2","1.6.1+dfsg-1","1.6.10+dfsg-1","1.6.10+dfsg-2","1.6.11+dfsg-1","1.6.12+dfsg-1","1.6.13+dfsg-1","1.6.14+dfsg-1","1.6.15+dfsg-1","1.6.16+dfsg-1","1.6.2+dfsg-1","1.6.3+dfsg-1","1.6.3+dfsg-1~deb12u1","1.6.3+dfsg-2","1.6.4+dfsg-1","1.6.4+dfsg-1~deb12u1","1.6.5+dfsg-1","1.6.5+dfsg-1~deb12u1","1.6.6+dfsg-1","1.6.6+dfsg-2","1.6.7+dfsg-1","1.6.8+dfsg-1","1.6.8+dfsg-2","1.6.9+dfsg-1","1.6.9+dfsg-2","1.6~beta+dfsg-1","1.6~beta+dfsg-2","1.6~rc+dfsg-1","1.6~rc+dfsg-2"],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48845.json"}},{"package":{"name":"roundcube","ecosystem":"Debian:12","purl":"pkg:deb/debian/roundcube?arch=source&distro=bookworm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.6.1+dfsg-1","1.6.10+dfsg-1","1.6.10+dfsg-2","1.6.11+dfsg-1","1.6.12+dfsg-1","1.6.13+dfsg-1","1.6.14+dfsg-1","1.6.15+dfsg-1","1.6.16+dfsg-1","1.6.2+dfsg-1","1.6.3+dfsg-1","1.6.3+dfsg-1~deb12u1","1.6.3+dfsg-2","1.6.4+dfsg-1","1.6.4+dfsg-1~deb12u1","1.6.5+dfsg-1","1.6.5+dfsg-1+deb12u2","1.6.5+dfsg-1+deb12u3","1.6.5+dfsg-1+deb12u4","1.6.5+dfsg-1+deb12u5","1.6.5+dfsg-1+deb12u6","1.6.5+dfsg-1+deb12u7","1.6.5+dfsg-1+deb12u8","1.6.5+dfsg-1~deb12u1","1.6.6+dfsg-1","1.6.6+dfsg-2","1.6.7+dfsg-1","1.6.8+dfsg-1","1.6.8+dfsg-2","1.6.9+dfsg-1","1.6.9+dfsg-2"],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48845.json"}},{"package":{"name":"roundcube","ecosystem":"Debian:13","purl":"pkg:deb/debian/roundcube?arch=source&distro=trixie"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.6.11+dfsg-1","1.6.12+dfsg-0+deb13u1","1.6.12+dfsg-1","1.6.13+dfsg-0+deb13u1","1.6.13+dfsg-1","1.6.14+dfsg-1","1.6.15+dfsg-0+deb13u1","1.6.15+dfsg-1","1.6.16+dfsg-1"],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48845.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}