DEBIAN-CVE-2026-25916 — Vulnetix

DEBIAN-CVE-2026-25916 PUBLISHED CVSS 4.300000190734863 MEDIUM

Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.

Risk Scores

CVSS 3.1

4.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Affected Products

Vendor	Product	Versions
Debian:13	roundcube	0, *, 1.6.12+dfsg-1
Debian:14	roundcube	1.6.12+dfsg-1, *, 0
Debian:11	roundcube	1.4.15+dfsg.1, 1.4.11+dfsg.1-4, 1.4.12+dfsg.1-1~bpo10+1
Debian:12	roundcube	1.6.5+dfsg-1+deb12u3, 1.6.5+dfsg-1+deb12u4, 1.6.5+dfsg-1+deb12u5

Timeline

Feb 9, 2026 CVE Published
May 10, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2026-25916 advisory

Open in Interactive Console →

$ Console Community · 100/wk Open console ›