# CVE-2026-48846

> In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass.

- **CVSS:** 6.5 (MEDIUM)
- **EPSS:** 0.0%
- **CWE:** CWE-669

Canonical: https://intel.threadlinqs.com/cve/CVE-2026-48846
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp