# NULL CATHEDRAL - Svg

> https://nullcathedral.com/tags/svg/
> Generated: 2026-02-15

---

## [Roundcube Webmail <1.5.13 / <1.6.13 allows attackers to force remote image loads via SVG feImage](https://nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/)

**February 8, 2026**

Roundcube's HTML sanitizer doesn't treat SVG feImage href as an image source. Attackers can bypass remote image blocking to track email opens. (CVE-2026-25916)

Tags: [vulnerability](https://nullcathedral.com/tags/vulnerability/), [roundcube](https://nullcathedral.com/tags/roundcube/), [svg](https://nullcathedral.com/tags/svg/), [email-security](https://nullcathedral.com/tags/email-security/)

---