This vulnerability in Roundcube Webmail 1.6.0 (before 1.6.14) involves improper sanitization of CSS content in HTML emails. Specifically, stylesheet links embedded in emails are not sufficiently sanitized, allowing an attacker to craft CSS that references internal or local network resources. This can result in SSRF or information disclosure by causing the server or client to fetch resources from unintended locations. The CVSS 3.1 base score is 5.4, reflecting a network attack vector with high attack complexity and no privileges or user interaction required. The vulnerability is categorized under CWE-669 (Incorrect Resource Transfer Between Spheres).

Successful exploitation may allow an attacker to perform SSRF or disclose sensitive information by leveraging malicious CSS in HTML emails. This could expose internal network resources or data accessible via local hosts. However, the attack complexity is high, and no known exploits have been reported. The impact is limited to confidentiality and integrity, with no availability impact noted.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch links are provided, users should monitor Roundcube's official channels for updates. Until a patch is available, consider restricting or sanitizing HTML email content at the gateway or client level to prevent loading external stylesheets from untrusted sources.