CVE-2026-25916 PUBLISHED

Assigner: mitre
Reserved: 09.02.2026 Published: 09.02.2026 Updated: 09.02.2026

Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Score: 4.3

Product Status

Vendor Roundcube
Product Webmail
Versions Default: unaffected
  • affected from 0 to 1.5.13 (excl.)
  • affected from 1.6.0 to 1.6.13 (excl.)

References

Problem Types

  • CWE-420 Unprotected Alternate Channel CWE