CVE-2026-35545
published 2026-04-03CVE-2026-35545: An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message…
PriorityP345high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
EPSS
0.33%
24.6th percentile
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | roundcube | < roundcube 1.6.5+dfsg-1+deb12u8 (bookworm) | roundcube 1.6.5+dfsg-1+deb12u8 (bookworm) |
| roundcube | roundcubemail | >= 1.7-beta < 1.7-rc5 | 1.7-rc5 |
| roundcube | webmail | < 1.5.15 | 1.5.15 |
| roundcube | webmail | >= 1.6.0 < 1.6.15 | 1.6.15 |
CVSS provenance
nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
osv8.2HIGH
vendor_debian5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Roundcube Webmail: Remote image blocking feature can be bypassed via SVG content in an e-mail message
osv·2026-04-03
CVE-2026-35545 [MEDIUM] Roundcube Webmail: Remote image blocking feature can be bypassed via SVG content in an e-mail message
Roundcube Webmail: Remote image blocking feature can be bypassed via SVG content in an e-mail message
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.
OSV
CVE-2026-35545: An issue was discovered in Roundcube Webmail before 1
osv·2026-04-03·CVSS 8.2
CVE-2026-35545 [HIGH] CVE-2026-35545: An issue was discovered in Roundcube Webmail before 1
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.
GHSA
Roundcube Webmail: Remote image blocking feature can be bypassed via SVG content in an e-mail message
ghsa·2026-04-03
CVE-2026-35545 [MEDIUM] CWE-669 Roundcube Webmail: Remote image blocking feature can be bypassed via SVG content in an e-mail message
Roundcube Webmail: Remote image blocking feature can be bypassed via SVG content in an e-mail message
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.
Debian
CVE-2026-35545: roundcube - An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remot...
vendor_debian·2026·CVSS 5.3
CVE-2026-35545 [MEDIUM] CVE-2026-35545: roundcube - An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remot...
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.
Scope: local
bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u8)
bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u8)
forky: resolved (fixed in 1.6.15+dfsg-1)
sid: resolved (fixed in 1.6.15+dfsg-1)
trixie: resolved (fixed in 1.6.15+dfsg-0+deb13u1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-35545 roundcubemail: Roundcube Webmail: Information disclosure and access-control bypass via SVG content in email. [fedora-all]
bugzilla·2026-04-03·CVSS 5.3
CVE-2026-35545 [MEDIUM] CVE-2026-35545 roundcubemail: Roundcube Webmail: Information disclosure and access-control bypass via SVG content in email. [fedora-all]
CVE-2026-35545 roundcubemail: Roundcube Webmail: Information disclosure and access-control bypass via SVG content in email. [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-6d293b6889 (roundcubemail-1.7~rc6-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-6d293b6889
---
FEDORA-2026-8ba1a085a9 (roundcubemail-1.6.15-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-8ba1a085a9
---
FEDORA-2026-051825ca18 (roundcubemail-1.6.15-1.fc42) has been submitted as an update to
Bugzilla
CVE-2026-35545 roundcubemail: Roundcube Webmail: Information disclosure and access-control bypass via SVG content in email. [epel-all]
bugzilla·2026-04-03·CVSS 5.3
CVE-2026-35545 [MEDIUM] CVE-2026-35545 roundcubemail: Roundcube Webmail: Information disclosure and access-control bypass via SVG content in email. [epel-all]
CVE-2026-35545 roundcubemail: Roundcube Webmail: Information disclosure and access-control bypass via SVG content in email. [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-EPEL-2026-82b702d826 (roundcubemail-1.6.15-1.el10_1) has been submitted as an update to Fedora EPEL 10.1.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-82b702d826
---
FEDORA-EPEL-2026-646aebe990 (roundcubemail-1.6.15-1.el10_2) has been submitted as an update to Fedora EPEL 10.2.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-646aebe990
---
FEDORA-EPEL-2026-f7a0d90857 (roundcubemail-1.6.15-1.
Wiz
CVE-2026-35545 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35545 [MEDIUM] CVE-2026-35545 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35545 :
PHP vulnerability analysis and mitigation
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.
Source : NVD
## 5.3
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
PHP
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
roundcube/roundcubemail
roundcube
Sources
NVD
Debian 11, 12, 13, 14 Severity MEDIUM Ha
https://github.com/roundcube/roundcubemail/commit/7ad62de184368bf42c0f522d1aacc030f5ddcc46https://github.com/roundcube/roundcubemail/commit/9d18d524f3cc211003fc99e2e54eed09a2f3da88https://github.com/roundcube/roundcubemail/commit/fe1320b199d3a2f58351bb699c9ed4316e73221bhttps://github.com/roundcube/roundcubemail/releases/tag/1.5.15https://github.com/roundcube/roundcubemail/releases/tag/1.6.15https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc6https://roundcube.net/news/2026/03/29/security-updates-1.7-rc6-1.6.15-1.5.15
2026-04-03
Published