{"id":"UBUNTU-CVE-2026-25916","details":"Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when \"Block remote images\" is used, does not block SVG feImage.","modified":"2026-05-20T16:12:26.404793295Z","published":"2026-02-09T09:16:00Z","related":["USN-8223-1"],"upstream":["CVE-2026-25916"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-25916"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2026-25916"},{"type":"REPORT","url":"https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13"},{"type":"REPORT","url":"https://nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/"},{"type":"REPORT","url":"https://github.com/roundcube/roundcubemail/commit/26d7677"},{"type":"REPORT","url":"https://news.ycombinator.com/item?id=46937012"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8223-1"}],"affected":[{"package":{"name":"roundcube","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/roundcube?arch=source&distro=esm-apps%2Fbionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.3.6+dfsg.1-1ubuntu0.1~esm8"}]}],"versions":["1.3.0+dfsg.1-1","1.3.1+dfsg.1-1","1.3.3+dfsg.1-1","1.3.3+dfsg.1-2","1.3.6+dfsg.1-1","1.3.6+dfsg.1-1ubuntu0.1~esm1","1.3.6+dfsg.1-1ubuntu0.1~esm2","1.3.6+dfsg.1-1ubuntu0.1~esm3","1.3.6+dfsg.1-1ubuntu0.1~esm4","1.3.6+dfsg.1-1ubuntu0.1~esm5","1.3.6+dfsg.1-1ubuntu0.1~esm6","1.3.6+dfsg.1-1ubuntu0.1~esm7"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_name":"roundcube","binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm8"},{"binary_name":"roundcube-core","binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm8"},{"binary_name":"roundcube-mysql","binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm8"},{"binary_name":"roundcube-pgsql","binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm8"},{"binary_name":"roundcube-plugins","binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm8"},{"binary_name":"roundcube-sqlite3","binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm8"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25916.json"}},{"package":{"name":"roundcube","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/roundcube?arch=source&distro=esm-apps%2Ffocal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.3+dfsg.1-1ubuntu0.1~esm8"}]}],"versions":["1.3.8+dfsg.1-2","1.3.10+dfsg.1-1","1.4.1+dfsg.1-2","1.4.2+dfsg.1-1","1.4.2+dfsg.1-2","1.4.3+dfsg.1-1","1.4.3+dfsg.1-1ubuntu0.1~esm1","1.4.3+dfsg.1-1ubuntu0.1~esm2","1.4.3+dfsg.1-1ubuntu0.1~esm3","1.4.3+dfsg.1-1ubuntu0.1~esm4","1.4.3+dfsg.1-1ubuntu0.1~esm5","1.4.3+dfsg.1-1ubuntu0.1~esm6","1.4.3+dfsg.1-1ubuntu0.1~esm7"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_name":"roundcube","binary_version":"1.4.3+dfsg.1-1ubuntu0.1~esm8"},{"binary_name":"roundcube-core","binary_version":"1.4.3+dfsg.1-1ubuntu0.1~esm8"},{"binary_name":"roundcube-mysql","binary_version":"1.4.3+dfsg.1-1ubuntu0.1~esm8"},{"binary_name":"roundcube-pgsql","binary_version":"1.4.3+dfsg.1-1ubuntu0.1~esm8"},{"binary_name":"roundcube-plugins","binary_version":"1.4.3+dfsg.1-1ubuntu0.1~esm8"},{"binary_name":"roundcube-sqlite3","binary_version":"1.4.3+dfsg.1-1ubuntu0.1~esm8"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25916.json"}},{"package":{"name":"roundcube","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/roundcube?arch=source&distro=esm-apps%2Fjammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.5.0+dfsg.1-2ubuntu0.1~esm6"}]}],"versions":["1.4.11+dfsg.1-4","1.5.0+dfsg.1-2","1.5.0+dfsg.1-2ubuntu0.1~esm1","1.5.0+dfsg.1-2ubuntu0.1~esm2","1.5.0+dfsg.1-2ubuntu0.1~esm3","1.5.0+dfsg.1-2ubuntu0.1~esm4","1.5.0+dfsg.1-2ubuntu0.1~esm5"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_name":"roundcube","binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm6"},{"binary_name":"roundcube-core","binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm6"},{"binary_name":"roundcube-mysql","binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm6"},{"binary_name":"roundcube-pgsql","binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm6"},{"binary_name":"roundcube-plugins","binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm6"},{"binary_name":"roundcube-sqlite3","binary_version":"1.5.0+dfsg.1-2ubuntu0.1~esm6"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25916.json"}},{"package":{"name":"roundcube","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/roundcube?arch=source&distro=esm-apps%2Fnoble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6.6+dfsg-2ubuntu0.1+esm3"}]}],"versions":["1.6.2+dfsg-1","1.6.4+dfsg-1","1.6.5+dfsg-1","1.6.6+dfsg-1","1.6.6+dfsg-2","1.6.6+dfsg-2ubuntu0.1","1.6.6+dfsg-2ubuntu0.1+esm1","1.6.6+dfsg-2ubuntu0.1+esm2"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_name":"roundcube","binary_version":"1.6.6+dfsg-2ubuntu0.1+esm3"},{"binary_name":"roundcube-core","binary_version":"1.6.6+dfsg-2ubuntu0.1+esm3"},{"binary_name":"roundcube-mysql","binary_version":"1.6.6+dfsg-2ubuntu0.1+esm3"},{"binary_name":"roundcube-pgsql","binary_version":"1.6.6+dfsg-2ubuntu0.1+esm3"},{"binary_name":"roundcube-plugins","binary_version":"1.6.6+dfsg-2ubuntu0.1+esm3"},{"binary_name":"roundcube-sqlite3","binary_version":"1.6.6+dfsg-2ubuntu0.1+esm3"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25916.json"}},{"package":{"name":"roundcube","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/roundcube?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.6.10+dfsg-1","1.6.10+dfsg-2","1.6.11+dfsg-1"],"ecosystem_specific":{"binaries":[{"binary_name":"roundcube","binary_version":"1.6.11+dfsg-1"},{"binary_name":"roundcube-core","binary_version":"1.6.11+dfsg-1"},{"binary_name":"roundcube-mysql","binary_version":"1.6.11+dfsg-1"},{"binary_name":"roundcube-pgsql","binary_version":"1.6.11+dfsg-1"},{"binary_name":"roundcube-plugins","binary_version":"1.6.11+dfsg-1"},{"binary_name":"roundcube-sqlite3","binary_version":"1.6.11+dfsg-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25916.json"}},{"package":{"name":"roundcube","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/roundcube?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.6.11+dfsg-1"],"ecosystem_specific":{"binaries":[{"binary_name":"roundcube","binary_version":"1.6.11+dfsg-1"},{"binary_name":"roundcube-core","binary_version":"1.6.11+dfsg-1"},{"binary_name":"roundcube-mysql","binary_version":"1.6.11+dfsg-1"},{"binary_name":"roundcube-pgsql","binary_version":"1.6.11+dfsg-1"},{"binary_name":"roundcube-plugins","binary_version":"1.6.11+dfsg-1"},{"binary_name":"roundcube-sqlite3","binary_version":"1.6.11+dfsg-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25916.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]}