This CVE has been withdrawn by MITRE
MITRE marked CVE-2026-9818 as REJECTED on . There is no longer a valid blast radius to assess. Any historical package or vendor data shown below is preserved for audit reference only.
Reason given by MITRE
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2026-9818 Blast Radius
✕ WITHDRAWN — HISTORICAL DATARoundcube's HTML sanitization path for message rendering allows loopback, localhost, RFC1918, link-local, and ULA URLs even when remote content loadin…