Roundcube Webmail: SVG feImage bypasses image blocking to track email opens

Roundcube's HTML sanitizer doesn't treat SVG feImage href as an image source. Attackers can bypass remote image blocking to track email opens.

TL;DR: Roundcube’s rcube_washtml sanitizer blocked external resources on , , and , but not on . Its href went through the wrong code path and got allowed through. Attackers could track email opens even when “Block remote images” was on. Fixed in 1.5.13 and 1.6.13.

Vulnerability information #

Field Value Vendor Roundcube Product Roundcube Webmail Affected versions < 1.5.13, 1.6.x < 1.6.13 Fixed in 1.5.13, 1.6.13 Disclosure date 2026-02-08

When allow_remote is false, Roundcube’s sanitizer intercepts image-bearing attributes ( src on , href on and ) and runs them through is_image_attribute() . That function blocks external URLs.

Separately, non-image URLs (like ) go through wash_link() , which lets HTTP/HTTPS URLs through. That’s fine for links the user clicks on intentionally.

I got bored during my christmas vacation and this SVG-based XSS fix via the animate tag appeared on my radar. One SVG bug usually means more. So I spent some time going through rcube_washtml.php , looking at which SVG elements made it onto the allowlist and how their attributes get handled and sanitized.

stood out. Its href gets fetched on render, same as . But the sanitizer sends it through wash_link() instead of is_image_attribute() .

So the “Block remote images” setting doesn’t apply to it.

Technical details #

... continue reading