Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.
Published: 2026-04-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an attacker to bypass the remote image blocking feature in Roundcube Webmail by embedding SVG content with animate attributes inside an email. When the message is processed, the image loading restrictions are circumvented, potentially exposing sensitive data or allowing the attacker to gain elevated privileges. This is a type of information disclosure and access‑control bypass flaw.

Affected Systems

Roundcube Webmail releases prior to version 1.5.14 and 1.6.14 are affected. The issue is present in the Roundcube Webmail application, which is distributed by the Roundcube vendor.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through crafted email messages designed to trigger the SVG bypass. An attacker would need to send such an email to a user who opens it, and the environment must have the remote image blocking feature enabled for the bypass to be relevant.

Generated by OpenCVE AI on April 7, 2026 at 22:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Roundcube Webmail to version 1.5.14, 1.6.14, or later releases (including 1.7-rc5).
  • If immediate upgrade is not possible, disable the remote image loading feature or restrict it to trusted sources.
  • Monitor mail traffic for suspicious SVG attachments and apply general email security best practices.

Generated by OpenCVE AI on April 7, 2026 at 22:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6196-1 roundcube security update
Github GHSA Github GHSA GHSA-j2g6-8rvg-7mf6 Roundcube Webmail: Bypass of remote image blocking via SVG content (with animate attributes) in an e-mail message
History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title SVG Remote Image Blocking Bypass in Roundcube Webmail

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title SVG Remote Image Blocking Bypass in Roundcube Webmail
First Time appeared Roundcube
Roundcube webmail
Vendors & Products Roundcube
Roundcube webmail

Fri, 03 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.
Weaknesses CWE-669
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Roundcube Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T12:50:54.031Z

Reserved: 2026-04-03T03:57:05.990Z

Link: CVE-2026-35543

cve-icon Vulnrichment

Updated: 2026-04-03T12:50:50.981Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T05:16:22.637

Modified: 2026-04-07T20:40:11.810

Link: CVE-2026-35543

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:54:20Z

Weaknesses