This vulnerability in Roundcube Webmail arises from inadequate sanitization of Cascading Style Sheets (CSS) in HTML emails. Specifically, the use of the !important directive can bypass fixed-position mitigations designed to restrict CSS behavior. The issue affects versions prior to 1.5.14 and 1.6.14. The CVSS 3.1 base score is 5.3 (medium), reflecting a network attack vector with low complexity, no privileges or user interaction required, and an impact limited to integrity without confidentiality or availability effects. No official remediation level or patch information is provided in the available data.

The vulnerability allows an attacker to bypass CSS fixed-position mitigations via the !important directive in HTML emails, potentially leading to limited integrity impact within the Roundcube Webmail interface. There is no impact on confidentiality or availability reported. No known exploits have been observed in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or remediation level is provided, users should monitor Roundcube's official channels for updates. Until a fix is available, consider restricting or sanitizing HTML email content at the gateway or client level to mitigate potential exploitation.