Suse
CVE-2026-25916
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.
AnalysisAI
Roundcube Webmail versions before 1.5.13 and 1.6.x before 1.6.13 fail to block SVG feImage elements when the "Block remote images" security feature is enabled, allowing attackers to bypass the protection and load remote content. This remote image bypass could enable tracking, information disclosure, or facilitate phishing attacks against users who rely on this feature to prevent remote content loading. No patch is currently available for this medium-severity vulnerability.
Technical ContextAI
Affects Roundcube Webmail. Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.
Affected ProductsAI
Product: Roundcube Webmail. Versions: up to 1.5.13.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Same weakness CWE-420 – Unprotected Alternate Channel
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| SUSE Package Hub 15 SP6 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today