CVE-2026-25916Unprotected Alternate Channel in Webmail

CWE-420Unprotected Alternate Channel7 documents7 sources
Severity
4.3MEDIUMNVD
EPSS
0.0%
top 90.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Roundcube Webmail
Timeline
PublishedFeb 9
Latest updateFeb 10

Description

Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

CVEListV5roundcube/webmail1.6.01.6.13+1

🔴Vulnerability Details

3
CVEList
CVE-2026-25916: Roundcube Webmail before 12026-02-09
OSV
CVE-2026-25916: Roundcube Webmail before 12026-02-09
GHSA
GHSA-q3rv-p5xv-cfpq: Roundcube Webmail before 12026-02-09

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS Roundcube Webmail SVG feImage Remote Image Bypass (CVE-2026-25916)2026-02-10

📋Vendor Advisories

1
Debian
CVE-2026-25916: roundcube - Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-25916 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-25916 — Unprotected Alternate Channel | cvebase