Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.
Published: 2026-04-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply patch
AI Analysis

Impact

Roundcube Webmail implements a feature that blocks automatic loading of external images in e‑mails to protect user privacy. A flaw allows an attacker to embed an SVG file that includes animate attributes in an e‑mail. When the e‑mail is viewed, the SVG bypasses the blocking logic and triggers the client to fetch the referenced image, revealing the existence of the mailbox or exposing sensitive message details. The weakness aligns with improper handling of SVG data, classified as CWE‑669.

Affected Systems

All installations of Roundcube Webmail running a version earlier than 1.5.14 or 1.6.14 are vulnerable. The issue covers the 1.5.x and 1.6.x series, as well as the 1.7‑rc5 release prior to its update.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS data is reported, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation. The likely attack vector is a crafted e‑mail containing the malicious SVG sent to a user; upon opening the message, the client retrieves the remote image. This straightforward exploitation path means any environment where Roundcube is used as the webmail interface could expose users to information disclosure if they receive such messages.

Generated by OpenCVE AI on April 3, 2026 at 07:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Roundcube Webmail to version 1.5.14, 1.6.14, or 1.7‑rc5 to remove the SVG processing flaw

Generated by OpenCVE AI on April 3, 2026 at 07:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j2g6-8rvg-7mf6 Roundcube Webmail: Bypass of remote image blocking via SVG content (with animate attributes) in an e-mail message
History

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title SVG Remote Image Blocking Bypass in Roundcube Webmail
First Time appeared Roundcube
Roundcube webmail
Vendors & Products Roundcube
Roundcube webmail

Fri, 03 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.
Weaknesses CWE-669
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Roundcube Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T12:50:54.031Z

Reserved: 2026-04-03T03:57:05.990Z

Link: CVE-2026-35543

cve-icon Vulnrichment

Updated: 2026-04-03T12:50:50.981Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-03T05:16:22.637

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-35543

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:15:51Z

Weaknesses