Roundcube Webmail 1.7.0 contains a vulnerability (CVE-2026-9818) due to incomplete filtering of disallowed URLs in its HTML sanitization path used for message rendering. The sanitization fails to block URLs pointing to loopback, localhost, RFC1918 private address spaces, link-local, and Unique Local Addresses (ULA). Consequently, an attacker can craft an HTML email that triggers the victim's browser to issue requests to internal network services when the message preview is opened, bypassing the intended restriction on remote content loading. This vulnerability is categorized under CWE-184 (Incomplete List of Disallowed Inputs). The CVSS v3.1 base score is 4.7, reflecting a medium severity with network attack vector, low complexity, no privileges required, user interaction needed, and impact limited to integrity loss without confidentiality or availability impact. No official fix or patch has been disclosed by the vendor as of the publication date.

The vulnerability enables a remote attacker to cause a victim's browser to send requests to internal or private network services by simply opening a crafted email message in Roundcube Webmail 1.7.0. This can potentially be used to probe internal network resources or perform other indirect attacks relying on the victim's browser as a proxy. There is no direct confidentiality or availability impact reported. No known exploits have been observed in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is currently available, users should exercise caution when previewing emails from untrusted sources. Network-level controls restricting outbound requests from client browsers to internal network addresses may help mitigate risk. Monitor vendor channels for updates regarding an official fix.