Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Roundcube Webmail: Image Blocking Bypass via SVG Content
CVE-2026-35545
Summary
If you use Roundcube Webmail, an attacker may be able to bypass the image blocking feature and potentially access sensitive information or compromise security settings. This is possible if you receive an email with malicious SVG content. To protect yourself, update to the latest version of Roundcube Webmail.
Original title
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosur...
Original description
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.
nvd CVSS3.1
5.3
Vulnerability type
CWE-669
- https://github.com/roundcube/roundcubemail/commit/7ad62de184368bf42c0f522d1aacc0...
- https://github.com/roundcube/roundcubemail/commit/9d18d524f3cc211003fc99e2e54eed...
- https://github.com/roundcube/roundcubemail/commit/fe1320b199d3a2f58351bb699c9ed4...
- https://github.com/roundcube/roundcubemail/releases/tag/1.5.15
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.15
- https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc6
- https://roundcube.net/news/2026/03/29/security-updates-1.7-rc6-1.6.15-1.5.15
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026