Description
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.
Published: 2026-04-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The identified issue allows a remote attacker to bypass Roundcube Webmail’s image blocking feature by embedding an SVG file in an email. The SVG uses an animate element whose attributeName can be set to fill, filter, or stroke, which the server mistakenly interprets as a remote image reference. This unintended processing exposes sensitive content or permits an attacker to circumvent access controls, resulting in information disclosure.

Affected Systems

The vulnerability affects all installations of Roundcube Webmail prior to versions 1.5.15 and 1.6.15, including the 1.7‑rc6 release line. Users running these versions should review the vendor’s advisory for update instructions.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS data is available and the issue is not currently listed in the CISA KEV catalogue. Exploitation requires delivery of a crafted email containing SVG content, which can be achieved through normal email traffic, making the risk realistic for exposed or open mail servers. Although no publicly known exploits exist yet, the moderate score and lack of mitigation options suggest the vulnerability is actionable.

Generated by OpenCVE AI on April 3, 2026 at 07:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Roundcube Webmail to version 1.5.15, 1.6.15, or later releases such as 1.7‑rc6, which have the image blocking bug fixed.
  • Verify that the remote image blocking setting remains enabled in the configuration.
  • Monitor Roundcube release notes and security advisories for any future patches or additional workarounds.

Generated by OpenCVE AI on April 3, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w846-74jr-76cv Roundcube Webmail: Remote image blocking feature can be bypassed via SVG content in an e-mail message
History

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title SVG Bypass of Remote Image Blocking in Roundcube Webmail

Fri, 03 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.
First Time appeared Roundcube
Roundcube webmail
Weaknesses CWE-669
CPEs cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
Vendors & Products Roundcube
Roundcube webmail
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Roundcube Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T15:36:13.062Z

Reserved: 2026-04-03T04:02:06.302Z

Link: CVE-2026-35545

cve-icon Vulnrichment

Updated: 2026-04-03T15:36:05.796Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-03T05:16:22.980

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-35545

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:15:49Z

Weaknesses