CVE-2026-25916 — Vulnetix

CVE-2026-25916 PUBLISHED CVSS 4.300000190734863 MEDIUM

Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.

EPSS 0.04% · 12.1th percentile

Risk Scores

CVSS 3.1

4.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

EPSS Score

0.04%

12.1th percentile

Affected Products

Vendor	Product	Versions
Roundcube	Roundcube Webmail
roundcube	webmail	1.6.0, 0, 1.6.0
Roundcube	Webmail	1.6.0, 0, 1.6.0

Exploit Intelligence

CIRCL seen: CVE-2026-25916 (circl-sighting)
CIRCL seen: CVE-2026-25916 (circl-sighting)
CIRCL seen: CVE-2026-25916 (circl-sighting)
https://nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/ (circl)
https://github.com/roundcube/roundcubemail/commit/26d7677 (circl)
https://news.ycombinator.com/item?id=46937012 (circl)
ET WEB_SPECIFIC_APPS Roundcube Webmail SVG feImage Remote Image Bypass (CVE-2026-25916) (emergingthreats)
ET WEB_SPECIFIC_APPS Roundcube Webmail SVG feImage Remote Image Bypass (CVE-2026-25916) (emergingthreats)
Roundcube Webmail DOM-based XSS Exploit via SVG href Attribute (cxsecurity)
Roundcube Webmail DOM-based XSS Exploit via SVG href Attribute (cxsecurity)

Timeline

Feb 9, 2026 CVE Published
Feb 9, 2026 EPSS Score
Feb 9, 2026 CVE ID Reserved
Feb 9, 2026 PoC Published
Feb 9, 2026 CVE Updated
Feb 10, 2026 PoC Published
Feb 11, 2026 EPSS Score
Feb 13, 2026 EPSS Score
Feb 15, 2026 EPSS Score
Feb 15, 2026 PoC Published
Feb 17, 2026 EPSS Score
Feb 19, 2026 EPSS Score

References

Open in Interactive Console →

$ Console Community · 100/wk Open console ›