CVE-2026-25916
published 2026-02-09CVE-2026-25916: Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.
PriorityP422medium4.3CVSS 3.1
AVNACLPRNUIRSUCLINAN
EPSS
0.63%
45.6th percentile
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | roundcube | < roundcube 1.6.5+dfsg-1+deb12u7 (bookworm) | roundcube 1.6.5+dfsg-1+deb12u7 (bookworm) |
| roundcube | webmail | < 1.5.13 | 1.5.13 |
| roundcube | webmail | >= 1.6.0 < 1.6.13 | 1.6.13 |
| ubuntu | roundcube | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
osv4.3MEDIUM
vendor_ubuntu7.4HIGH
vendor_debian4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Roundcube Webmail vulnerabilities
vendor_ubuntu·2026-04-29·CVSS 7.4
CVE-2024-42010 [HIGH] Roundcube Webmail vulnerabilities
Title: Roundcube Webmail vulnerabilities
Summary: Several security issues were fixed in Roundcube Webmail.
It was discovered that Roundcube Webmail mishandled Punycode xn-- domain names.
An attacker could possibly use this issue to cause a homograph attack. (CVE-2019-15237)
It was discovered that Roundcube Webmail did not properly sanitize certain
attributes when handling CSS within HTML messages and certain SVG attributes.
An attacker could possibly use this issue to cause a cross-site scripting attack.
(CVE-2024-38356, CVE-2024-38357)
It was discovered that Roundcube Webmail did not properly sanitize certain HTML
attributes when rendering e-mail messages. An attacker could possibly use this
issue to cause a cross-site scripting attack. (CVE-2024-42008)
It was discovered that Roundcu
Debian
CVE-2026-25916: roundcube - Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images...
vendor_debian·2026·CVSS 4.3
CVE-2026-25916 [MEDIUM] CVE-2026-25916: roundcube - Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images...
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.
Scope: local
bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u7)
bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u7)
forky: resolved (fixed in 1.6.13+dfsg-1)
sid: resolved (fixed in 1.6.13+dfsg-1)
trixie: resolved (fixed in 1.6.13+dfsg-0+deb13u1)
OSV
CVE-2026-25916: Roundcube Webmail before 1
osv·2026-02-09·CVSS 4.3
CVE-2026-25916 [MEDIUM] CVE-2026-25916: Roundcube Webmail before 1
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.
GHSA
GHSA-q3rv-p5xv-cfpq: Roundcube Webmail before 1
ghsa_unreviewed·2026-02-09
CVE-2026-25916 [MEDIUM] CWE-420 GHSA-q3rv-p5xv-cfpq: Roundcube Webmail before 1
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.
Suricata
ET WEB_SPECIFIC_APPS Roundcube Webmail SVG feImage Remote Image Bypass (CVE-2026-25916)
suricata·2026-02-10·CVSS 4.3
CVE-2026-25916 [MEDIUM] ET WEB_SPECIFIC_APPS Roundcube Webmail SVG feImage Remote Image Bypass (CVE-2026-25916)
ET WEB_SPECIFIC_APPS Roundcube Webmail SVG feImage Remote Image Bypass (CVE-2026-25916)
Rule: alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Roundcube Webmail SVG feImage Remote Image Bypass (CVE-2026-25916)"; flow:established,to_server; content:"|3c|svg"; content:"|3c|feImage|20|"; fast_pattern; distance:0; content:"href|3d 22|"; distance:0; pcre:"/\x3csvg(?:(?!\x3e\x2fsvg).)+\x3cfeImage\x20[^\x3e]*?href\x3d\x22(?:[a-z]+\x3a\x2f{2}|\x5c{2})/"; reference:url,nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/; reference:cve,2026-25916; classtype:web-application-attack; sid:2067446; rev:1; metadata:affected_product Roundcube, attack_target Server, created_at 2026_02_10, cve CVE_2026_25916, deployment Perimeter, deployment Internal,
No public exploits indexed.
Wiz
CVE-2026-25916 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-25916 [MEDIUM] CVE-2026-25916 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25916 :
Linux Debian vulnerability analysis and mitigation
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.
Source : NVD
## 4.3
Score
Published February 9, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
Linux Debian
Linux Ubuntu
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
roundcubemail
roundcube
Sources
NVD
Debian 11, 12, 13, 14 Severity MEDIUM Has Fix Added at: Feb 10, 2026
Echo Severity MEDIUM Has Fix Added at: Feb 10, 2026
Ubuntu 18.04, 20.04, 22.04, 24.04, 25.10 Severity MEDIUM No Fix Added at: Mar 10, 202
Bugzilla
CVE-2026-25916 roundcubemail: SVG feImage bypasses image blocking to track email opens [fedora-42]
bugzilla·2026-02-09·CVSS 4.3
CVE-2026-25916 [MEDIUM] CVE-2026-25916 roundcubemail: SVG feImage bypasses image blocking to track email opens [fedora-42]
CVE-2026-25916 roundcubemail: SVG feImage bypasses image blocking to track email opens [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version
2026-02-09
Published