An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass.
This involves the animate element with attributeName=fill/filter/stroke.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
Low
Partial data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 2
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Roundcube Webmail
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
|
— |
1.5.15
|
|
Roundcube Webmail
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
|
1.6.0
|
1.6.15
|
References 7
https://github.com/roundcube/roundcubemail/commit/7ad62de184368bf42c0f522d1aacc…
cve@mitre.org
https://github.com/roundcube/roundcubemail/commit/9d18d524f3cc211003fc99e2e54ee…
cve@mitre.org
https://github.com/roundcube/roundcubemail/commit/fe1320b199d3a2f58351bb699c9ed…
cve@mitre.org
https://github.com/roundcube/roundcubemail/releases/tag/1.5.15
cve@mitre.org
https://github.com/roundcube/roundcubemail/releases/tag/1.6.15
cve@mitre.org
https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc6
cve@mitre.org
https://roundcube.net/news/2026/03/29/security-updates-1.7-rc6-1.6.15-1.5.15
cve@mitre.org