CVE-2026-25916

EUVD-2026-6937
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
mitreCNA
4.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
roundcubewebmail
𝑥
< 1.5.13
CNA
roundcubewebmail
1.6.0 ≤
𝑥
< 1.6.13
CNA
Debian logo
Debian Releases
Debian Product
Codename
roundcube
bookworm
vulnerable
bookworm (security)
1.6.5+dfsg-1+deb12u8
fixed
bullseye
vulnerable
bullseye (security)
1.4.15+dfsg.1-1+deb11u8
fixed
forky
1.6.15+dfsg-1
fixed
sid
1.6.15+dfsg-1
fixed
trixie
1.6.13+dfsg-0+deb13u1
fixed
trixie (security)
1.6.15+dfsg-0+deb13u1
fixed
Common Weakness Enumeration
References
https://github.com/roundcube/roundcubemail/commit/26d7677
https://news.ycombinator.com/item?id=46937012
https://nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/