Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Roundcube Webmail: Malicious SVG Images Can Bypass Image Blocking
CVE-2026-35543
Summary
Attackers can use specially crafted SVG images in emails to bypass Roundcube Webmail's image blocking feature, potentially allowing them to disclose sensitive information or bypass security controls. Affected versions of Roundcube Webmail are 1.5.13 and earlier, and 1.6.13 and earlier. Update to the latest versions (1.5.14 and 1.6.14) to fix this issue.
Original title
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lea...
Original description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.
nvd CVSS3.1
5.3
Vulnerability type
CWE-669
- https://github.com/roundcube/roundcubemail/commit/1a63e01542bff42aaa71c00c4c279a...
- https://github.com/roundcube/roundcubemail/commit/39471343ee081ce1d31696c456a2c1...
- https://github.com/roundcube/roundcubemail/commit/82ab5eca7b332fce7a174b2b987f09...
- https://github.com/roundcube/roundcubemail/releases/tag/1.5.14
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.14
- https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5
- https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026