UBUNTU-CVE-2026-25916
Advisory lineage Upstream: 1 Downstream: 0
Upstream
Published: 09 Feb 2026, 09:16
Last modified:30 Mar 2026, 17:59
Vulnerability Summary
Overall Risk (default)
low
17/100 CVSS Score
4.3 MEDIUM
3.1 (osv_ubuntu)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
09 Feb 2026, 09:16
Published
Vulnerability first disclosed
30 Mar 2026, 17:59
Last Modified
Vulnerability information updated
Description
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.
CVSS Metrics
- v3.1•MEDIUM•Score: 4.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Affected Systems
- ubuntu•roundcube
all | all
References (6)
- https://ubuntu.com/security/CVE-2026-25916
- https://www.cve.org/CVERecord?id=CVE-2026-25916
- https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13
- https://nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/
- https://github.com/roundcube/roundcubemail/commit/26d7677
- https://news.ycombinator.com/item?id=46937012