CVE-2026-9818 - Vulnerability Details

Description

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Published: 2026-05-28

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

No data.

Vendor Product Confidence Versions

Roundcube

Webmail

90%

Version	Status	Scheme	Platform
`[0,1.6.16)`	affected	generic	—
`[1.7.0,1.7.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

No reference.

History

Sat, 30 May 2026 10:30:00 +0000

Type	Values Removed	Values Added
Title	Roundcube Local/Private URL Fetch Bypass
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 28 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-184
References	https://advisories.orangecyberdefense.com/advisories/163 https://github.com/roundcube/roundcubemail/commit/7b52353653a67e6073b97d70eb94047132b78556 https://github.com/roundcube/roundcubemail/commit/faf867432f51ebbe100382a70a9e3c042415ee1b https://github.com/roundcube/roundcubemail/releases/tag/1.6.16 https://github.com/roundcube/roundcubemail/releases/tag/1.7.1
Metrics	cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N'}`

Thu, 28 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description	Roundcube's HTML sanitization path for message rendering allows loopback, localhost, RFC1918, link-local, and ULA URLs even when remote content loading is disabled. A remote attacker can send an HTML email that causes the victim's browser to issue requests to local or private-network services simply by opening the message preview.	This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CPEs	cpe:2.3:a:roundcube:webmail::::::::

Thu, 28 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 28 May 2026 12:45:00 +0000

Type	Values Removed	Values Added
Description		Roundcube's HTML sanitization path for message rendering allows loopback, localhost, RFC1918, link-local, and ULA URLs even when remote content loading is disabled. A remote attacker can send an HTML email that causes the victim's browser to issue requests to local or private-network services simply by opening the message preview.
Title		Roundcube Local/Private URL Fetch Bypass
First Time appeared		Roundcube Roundcube webmail
Weaknesses		CWE-184
CPEs		cpe:2.3:a:roundcube:webmail::::::::
Vendors & Products		Roundcube Roundcube webmail
References		https://advisories.orangecyberdefense.com/advisories/163 https://github.com/roundcube/roundcubemail/commit/7b52353653a67e6073b97d70eb94047132b78556 https://github.com/roundcube/roundcubemail/commit/faf867432f51ebbe100382a70a9e3c042415ee1b https://github.com/roundcube/roundcubemail/releases/tag/1.6.16 https://github.com/roundcube/roundcubemail/releases/tag/1.7.1
Metrics		cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N'}`

Subscriptions

Roundcube Webmail

MITRE

Status: REJECTED

Assigner: OCD

Published: 2026-05-28T12:16:05.464Z

Updated: 2026-05-28T16:35:38.661Z

Reserved: 2026-05-28T10:37:45.625Z

Link: CVE-2026-9818

Vulnrichment

Updated:

NVD

Status : Rejected

Published: 2026-05-28T13:16:25.440

Modified: 2026-05-28T17:16:36.090

Link: CVE-2026-9818

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T16:30:15Z

Weaknesses

No weakness.

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object