Add Techlomedia as a preferred source on Google. 
Security researcher NULL CATHEDRAL has disclosed a new vulnerability in Roundcube Webmail that could let attackers track when an email is opened. The issue affects users even if they have enabled the “Block remote images” setting.
The vulnerability impacts Roundcube Webmail versions below 1.5.13 and 1.6.13. It has been assigned CVE-2026-25916 and was publicly disclosed on February 8, 2026.
Roundcube includes a built-in sanitizer that blocks external images in emails. This feature is meant to protect users from tracking pixels and privacy leaks. Normally, the sanitizer stops remote image loading in common HTML and SVG tags like img, image, and use.
However, the researcher found that one SVG element was missed. The feImage tag was allowed to load remote content even when image blocking was enabled. As a result, attackers could embed a hidden SVG in an email and force the browser to load an external image.
The issue happens due to how Roundcube checks different attributes. Image-related attributes are supposed to be handled by a strict filter that blocks external URLs. Link-related attributes are handled by a different function that allows normal web links. In the case of feImage, its href attribute was mistakenly treated like a normal link instead of an image source.
This meant that when an email was opened, the browser would silently make a request to the attacker’s server. The attacker could then confirm that the email was opened. They could also log the user’s IP address and collect basic browser details.
The proof of concept shared by the researcher used a tiny invisible SVG placed off-screen. When rendered, it triggered a remote request without any user interaction. This bypassed the privacy protection users expected from Roundcube’s settings.
Roundcube has now fixed the issue. The update ensures that feImage is treated like other image elements. Its href attribute is now properly blocked when remote images are disabled. The fix was released in Roundcube versions 1.5.13 and 1.6.13. Users and administrators are strongly advised to update as soon as possible.
Follow Techlomedia on Google News to stay updated. 
Affiliate Disclosure:
This article may contain affiliate links. We may earn a commission on purchases made through these links at no extra cost to you.
