A vulnerability identified as critical has been detected in Roundcube Webmail up to 1.6.15/1.7.0 . This affects the function var of the component CSS Handler . The manipulation leads to incorrect resource transfer. This vulnerability is traded as CVE-2026-48846 . It is possible to initiate the attack remotely. There is no exploit available. You should upgrade the affected component.