CVE-2026-25916

MEDIUM4.3EPSS 0.04%

roundcube - security update

Published: 2/9/2026Modified: 2/17/2026
Also known as:DSA-6137-1DEBIAN-CVE-2026-25916DEBIAN-CVE-2026-26079

Description

Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.

Affected packages (3)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1MEDIUM4.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

References (1)