CVE-2026-25916
📋 TL;DR
Roundcube Webmail versions before 1.5.13 and 1.6 before 1.6.13 fail to block SVG feImage elements when 'Block remote images' is enabled, allowing attackers to bypass image blocking protections. This affects Roundcube Webmail installations using the remote image blocking feature. Attackers can potentially track email opens or load external content despite user protections.
💻 Affected Systems
- Roundcube Webmail
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers can track email opens, determine user IP addresses, and potentially load malicious external content despite user's image blocking settings.
Likely Case
Email tracking through SVG feImage elements that bypass image blocking, allowing senders to confirm when emails are opened.
If Mitigated
Limited impact if proper network filtering and email security controls are in place to block external SVG content.
🎯 Exploit Status
Exploitation requires sending specially crafted emails with SVG feImage elements to target users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.13 and 1.6.13
Vendor Advisory: https://github.com/roundcube/roundcubemail/commit/26d7677
Restart Required: No
Instructions:
1. Backup current Roundcube installation. 2. Download and install Roundcube 1.5.13 or 1.6.13 from official sources. 3. Replace existing installation files with patched version. 4. Verify configuration files are preserved.
🔧 Temporary Workarounds
Disable remote image blocking
allTemporarily disable the 'Block remote images' feature to prevent bypass attempts
Edit config/config.inc.php and set: $config['enable_remote_images'] = true;
Content filtering at proxy level
allBlock SVG feImage elements at network perimeter or email gateway
🧯 If You Can't Patch
- Implement network-level filtering to block SVG feImage requests to external domains
- Educate users about email tracking risks and advise against opening suspicious emails
🔍 How to Verify
Check if Vulnerable:
Check Roundcube version and verify if 'Block remote images' is enabled in configurationCheck Version:
Check program/include/rcube.php or run: grep -r 'Version' program/include/rcube.phpVerify Fix Applied:
Verify installation is version 1.5.13 or higher (for 1.5.x) or 1.6.13 or higher (for 1.6.x)📡 Detection & Monitoring
Log Indicators:
- Unusual SVG file requests in web server logs
- External image requests despite blocking settings
Network Indicators:
- Outbound requests to external domains with SVG feImage parameters
SIEM Query:
web_server_logs WHERE uri CONTAINS '.svg' AND query_string CONTAINS 'feImage'