CVE-2026-25916

Summary

Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.

Affected Software

VendorProductVersion RangeStatus
RoundcubeWebmail0 < 1.5.13affected
RoundcubeWebmail1.6.0 < 1.6.13affected

Weaknesses

  • CWE-420: CWE-420 Unprotected Alternate Channel

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References