Improper encoding or escaping of output in Roundcube Webmail - #VU124139
Published: March 19, 2026 / Updated: March 19, 2026
Vulnerability identifier: #VU124139
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-116
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Roundcube
Affected software:
Roundcube Webmail
Roundcube Webmail
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass remote image blocking by exploiting various SVG animate attributes.
The vulnerability exists due to improper output neutralization in HTML rendering engine when parsing SVG content with animate attributes. A remote attacker can send a specially crafted HTML email containing malicious SVG elements to load remote images despite blocking settings.
This issue affects the remote image protection mechanism and could lead to tracking and disclosure of user information.
Remediation
Install security update from vendor's website.