# NULL CATHEDRAL - Css

> https://nullcathedral.com/tags/css/
> Generated: 2026-04-10

---

## [Roundcube round two: three more sanitizer bypasses](https://nullcathedral.com/posts/2026-03-18-roundcube-round-two-three-more-sanitizer-bypasses/)

**March 18, 2026**

Three more bypasses in Roundcube's HTML sanitizer: SMIL animation attributes load remote resources, unquoted body backgrounds enable CSS injection, and position:fixed !important enables phishing overlays.

Tags: [vulnerability](https://nullcathedral.com/tags/vulnerability/), [roundcube](https://nullcathedral.com/tags/roundcube/), [svg](https://nullcathedral.com/tags/svg/), [css](https://nullcathedral.com/tags/css/), [email-security](https://nullcathedral.com/tags/email-security/)

---