Vulnerability Database / CVE-2026-25916 CVE-2026-25916: Roundcube Webmail XSS Vulnerability CVE-2026-25916 is an XSS vulnerability in Roundcube Webmail that bypasses the Block remote images feature through SVG feImage elements. This article covers the technical details, affected versions, and mitigation. Published : February 13, 2026 CVE-2026-25916 Overview CVE-2026-25916 is an Input Validation Error vulnerability in Roundcube Webmail versions before 1.5.13 and 1.6.x before 1.6.13. When the "Block remote images" security feature is enabled, the application fails to properly block SVG feImage elements, allowing attackers to bypass the remote image blocking mechanism. This bypass can be leveraged to track email recipients, fingerprint users, or potentially exploit other remote resource loading vulnerabilities. Critical Impact Attackers can bypass Roundcube's remote image blocking feature using SVG feImage elements, enabling email tracking, user fingerprinting, and potential information disclosure. Affected Products Roundcube Webmail versions before 1.5.13 Roundcube Webmail versions 1.6.x before 1.6.13 Discovery Timeline 2026-02-09 - CVE CVE-2026-25916 published to NVD 2026-02-09 - Last updated in NVD database Technical Details for CVE-2026-25916 Vulnerability Analysis The vulnerability exists in Roundcube Webmail's HTML sanitization library ( rcube_washtml.php ), which is responsible for filtering potentially dangerous content from emails before displaying them to users. While the implementation properly blocked remote image loading for common HTML elements and some SVG elements like <use> and <image> , it failed to account for the SVG <feImage> element. The <feImage> element is part of SVG filter primitives and can reference external resources via its href attribute. When a malicious email containing an SVG with a feImage element referencing an external URL is opened by a user with "Block remote images" enabled, the browser still attempts to load the remote resource, completely bypassing the intended security control. Root Cause The root cause is incomplete input validation in the rcube_washtml.php sanitization logic. The code that identifies and blocks remote resource URLs only checked for specific tag/attribute combinations ( use with href and image with href ) but did not include the feImage SVG element in this allowlist check. This oversight allowed the feImage element's href attribute to pass through the sanitizer unmodified, preserving the external URL reference. Attack Vector An attacker can exploit this vulnerability by crafting a malicious email containing an SVG element with a feImage filter primitive. The feImage element's href attribute points to an attacker-controlled server. When the victim opens the email in Roundcube Webmail (even with "Block remote images" enabled), their browser requests the external resource, revealing the victim's IP address, user agent, and confirming that the email was opened. This technique is commonly used for email tracking and reconnaissance. php // Security patch in program/lib/Roundcube/rcube_washtml.php // Fix remote image blocking bypass via SVG content reported by nullcathedral || $attr == 'color-profile' // SVG || ($attr == 'poster' && $tag == 'video') || ($attr == 'src' && preg_match('/^(img|image|source|input|video|audio)$/i', $tag)) - || ($tag == 'use' && $attr == 'href') // SVG - || ($tag == 'image' && $attr == 'href'); // SVG + || ($attr == 'href' && preg_match('/^(feimage|image|use)$/i', $tag)); // SVG } /** Source: GitHub Commit Update Detection Methods for CVE-2026-25916 Indicators of Compromise Unexpected outbound HTTP/HTTPS requests originating from webmail server sessions to unknown external domains Email messages containing SVG elements with feImage tags and external href attributes in message logs Web server logs showing requests to suspicious tracking URLs immediately after email opens Detection Strategies Implement content inspection rules to identify emails containing SVG feImage elements with external URL references Monitor network traffic from Roundcube instances for connections to known tracking domains or suspicious external resources Review email content filtering logs for SVG-based content that may indicate exploitation attempts Monitoring Recommendations Enable verbose logging on Roundcube Webmail instances to capture email content inspection events Deploy network-level monitoring to detect and alert on unusual outbound connections from webmail server infrastructure Consider implementing Content Security Policy (CSP) headers to restrict external resource loading How to Mitigate CVE-2026-25916 Immediate Actions Required Upgrade Roundcube Webmail to version 1.5.13 or later for the 1.5.x branch Upgrade Roundcube Webmail to version 1.6.13 or later for the 1.6.x branch Review email security policies and consider additional content filtering at the mail gateway level Patch Information The vulnerability has been addressed in commit 26d7677 whic