LogicalBreach Academy

position: fixed !important bypasses CSS sanitizer's fixed-position mitigation, enabling full-viewport phishing overlays. | Free Bug Bounty Writeup | LogicalBreach Academy

Back

Resource Injection (CWE-99)CVSS 5.4Medium

position: fixed !important bypasses CSS sanitizer's fixed-position mitigation, enabling full-viewport phishing overlays.

hackerone-reports

April 21, 2026

0 views

Save

€0

Vulnerability Summary

HackerOne disclosed report --> https://hackerone.com/reports/3590586 by nullcathedral

When sanitizing CSS, Roundcube's sanitize_css_block() in rcube_utils.php converts position: fixed to position: absolute to prevent overlay attacks (L555-557).

However, the check uses strcasecmp($value, 'fixed') === 0, which requires the entire trimmed value to be exactly "fixed". The value "fixed !important" fails this comparison. The value then flows through the generic token-based validation path, where explode_css_property_block() splits it into tokens ['fixed', '!important'] that both individually pass the allowlist, reassembling as position: fixed !important in the output.

Steps To Reproduce

Step 1: Send an HTML email with the following body:

<!DOCTYPE html>

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

Related Writeups

hackerone-reports

Unquoted body background attribute enables CSS injection that bypasses remote image blocking

HackerOne disclosed report --> https://hackerone.com/reports/3590583 by nullcathedral

Read Writeup →

Discussion

No comments yet.

Be the first to share your thoughts