Information Disclosure (CWE-200)CVSS 4.3Medium

Roundcube Webmail Style Sanitizer can be bypassed using CSS Character Escapes

hackerone-reports

March 5, 2026

8 views

Save

€0

Vulnerability Summary

HackerOne disclosed report --> https://hackerone.com/reports/3443563 by somerandomdev

Summary:

The style sanitizer in Roundcube Webmail can be bypassed by creating HTML entities using CSS character escapes. This allows using arbitrary inline CSS, like e.g. url(), and retrieve the IP address and user agent of the person reading the email.

Steps To Reproduce:

Send an HTML email to your account with the following contents:

<div style='content: "\0026quot;; background: url(//http.cat/418); content:""; width: 100%; height: 100%;'>hi, this shouldn't work :(</div>

Open the email in Roundcube in the HTML mode

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

Sign In Register

Related Writeups

hackerone-reports

CVE-2026-6429: netrc credential leak with reused proxy connection

HackerOne disclosed report --> https://hackerone.com/reports/3677759 by nobcoderr

Read Writeup →

pyus3r

Information Disclosure — Unauthenticated API Exposes PII of 500+ Employees and Enterprise Clients

A hardcoded backend URL found in a JavaScript bundle exposed an unauthenticated API endpoint that returned 500+ records containing employee full names, enterprise client details, and internal database IDs. The writeup walks through discovering the URL in the JS bundle, querying the API, and the GDPR/business intelligence impact.