#VU124139 Improper encoding or escaping of output in Roundcube Webmail
Published: March 19, 2026 / Updated: March 19, 2026
Vulnerability identifier: #VU124139
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-116
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Roundcube Webmail
Roundcube Webmail
Software vendor:
Roundcube
Roundcube
Description
The vulnerability allows a remote attacker to bypass remote image blocking by exploiting various SVG animate attributes.
The vulnerability exists due to improper output neutralization in HTML rendering engine when parsing SVG content with animate attributes. A remote attacker can send a specially crafted HTML email containing malicious SVG elements to load remote images despite blocking settings.
This issue affects the remote image protection mechanism and could lead to tracking and disclosure of user information.
Remediation
Install security update from vendor's website.