CVE-2026-25916
SVG feImage Bypass in Roundcube Webmail Image Blocking
Publication date: 2026-02-09
Last updated on: 2026-02-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| roundcube | roundcube | to 1.5.13 (exc) |
| roundcube | roundcube | to 1.6.13 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-420 | The product protects a primary channel, but it does not use the same level of protection for an alternate channel. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
I don't know
Can you explain this vulnerability to me?
This vulnerability affects Roundcube Webmail versions before 1.5.13 and 1.6 before 1.6.13. When the "Block remote images" feature is enabled, it fails to block SVG feImage elements. This means that even though remote images are supposed to be blocked, SVG images using the feImage filter can still be loaded.
How can this vulnerability impact me? :
The vulnerability can lead to partial circumvention of the "Block remote images" feature in Roundcube Webmail. This could allow remote SVG images to be loaded without user consent, potentially exposing users to privacy risks such as tracking or leaking information through these images.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know