[Pkg-roundcube-maintainers] Bug#1127447: roundcube: CSS injection vulnerability and remote image blocking bypass
Salvatore Bonaccorso
carnil at debian.org
Mon Feb 9 20:25:02 GMT 2026
Hi Guilhem,
On Sun, Feb 08, 2026 at 11:41:28PM +0100, Guilhem Moulin wrote:
> * Remote image blocking bypass via SVG content reported by nullcathedral.
> https://github.com/roundcube/roundcubemail/commit/036e851b683333205813f70acda2dc047b4891c8
This one got a CVE assigned, assuming the reporter did request it
accordingly: CVE-2026-25916
There is a blog post about it:
https://nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/
The first one AFAIU, has not yet a CVE.
Regards,
Salvatore
More information about the Pkg-roundcube-maintainers
mailing list