{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-25916", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-02-09T08:14:10.021Z", "datePublished": "2026-02-09T08:14:10.177Z", "dateUpdated": "2026-02-09T15:05:40.859Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Webmail", "vendor": "Roundcube", "versions": [{"lessThan": "1.5.13", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "1.6.13", "status": "affected", "version": "1.6.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when \"Block remote images\" is used, does not block SVG feImage."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-420", "description": "CWE-420 Unprotected Alternate Channel", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-09T08:19:52.048Z"}, "references": [{"url": "https://nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/"}, {"url": "https://github.com/roundcube/roundcubemail/commit/26d7677"}, {"url": "https://news.ycombinator.com/item?id=46937012"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.5.13"}, {"vulnerable": true, "criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.6.0", "versionEndExcluding": "1.6.13"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T14:54:49.903109Z", "id": "CVE-2026-25916", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:05:40.859Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25916", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-09T14:54:49.903109Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:00:36.368Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Roundcube", "product": "Webmail", "versions": [{"status": "affected", "version": "0", "lessThan": "1.5.13", "versionType": "semver"}, {"status": "affected", "version": "1.6.0", "lessThan": "1.6.13", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/"}, {"url": "https://github.com/roundcube/roundcubemail/commit/26d7677"}, {"url": "https://news.ycombinator.com/item?id=46937012"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when \"Block remote images\" is used, does not block SVG feImage."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-420", "description": "CWE-420 Unprotected Alternate Channel"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.5.13"}, {"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.6.13", "versionStartIncluding": "1.6.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-09T08:19:52.048Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25916", "state": "PUBLISHED", "dateUpdated": "2026-02-09T15:05:40.859Z", "dateReserved": "2026-02-09T08:14:10.021Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-02-09T08:14:10.177Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when \"Block remote images\" is used, does not block SVG feImage."}, {"lang": "es", "value": "Roundcube Webmail antes de 1.5.13 y 1.6 antes de 1.6.13, cuando se usa 'Bloquear im\u00e1genes remotas', no bloquea SVG feImage."}], "id": "CVE-2026-25916", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-02-09T09:16:34.193", "references": [{"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/commit/26d7677"}, {"source": "cve@mitre.org", "url": "https://news.ycombinator.com/item?id=46937012"}, {"source": "cve@mitre.org", "url": "https://nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-420"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.13)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.6.0,1.6.13)"}}], "product": "webmail", "vendor": "roundcube"}], "analysis": {"en": {"generated_at": "2026-04-18T13:06:37.131355+00:00", "value": {"mitigation_remediation": ["Upgrade Roundcube Webmail to version\u202f1.5.13 or later, or\u202f1.6.13 or later, as released by the maintainers. ", "Implement server\u2011side sanitisation to strip or block <feImage> elements from SVG files before they are rendered by the client. ", "Configure network security controls, such as a firewall or proxy, to restrict outbound image requests from Roundcube to trusted domains only."], "summary": {"action": "Apply Patch", "impact": "Moderate disclosure through Block Remote Images bypass"}, "threat_synthesis": {"affected_systems": "Roundcube Webmail\u202f1.5.x releases older than\u202f1.5.13 and\u202f1.6.x releases older than\u202f1.6.13 when the Block remote images option is enabled are affected.", "description_and_impact": "Roundcube Webmail versions before\u202f1.5.13 and\u202f1.6 before\u202f1.6.13 contain a flaw where the Block remote images setting fails to neutralise SVG files that use the feImage element. When a user opens a message that contains such an SVG, the browser will retrieve the referenced remote image, potentially leaking sensitive data or executing malicious code. The weakness is an input validation flaw (CWE\u2011420).", "risk_and_exploitability": "The CVSS score of\u202f4.3 indicates moderate severity, while the EPSS score of less than\u202f1\u202f% implies a low likelihood of widespread exploitation at present. The vulnerability is listed as not included in the CISA KEV catalog. An attacker can potentially exploit the flaw by crafting a message with an SVG containing a feImage element that points to an external resource. The attack requires the victim to open the message in a client that renders SVG images, and it can be used to exfiltrate personal information or to bypass visual loading restrictions imposed by the Block remote images setting."}}}}, "created": "2026-02-10T12:23:46.958242+00:00", "title": "Bypass of Block Remote Images in Roundcube via SVG feImage", "updated": "2026-04-18T13:15:25.711491+00:00", "vendors": ["roundcube", "roundcube$PRODUCT$webmail"]}