Key Information Vulnerability Summary Vulnerability Type: Allows attackers to force remote image loading Affected Versions: Roundcube Webmail < 1.5.13 / < 1.6.13 Fixed Versions: 1.5.13, 1.6.13 Disclosure Date: 2026-02-08 Vulnerability Background Roundcube's HTML sanitizer improperly handles the attribute within SVG tags, leading to failure in blocking external image loading, even when configured to do so. Discovery The attribute in tags is not properly blocked, even when remote images are disabled via user settings. Technical Details Code analysis reveals two critical functions in : - does not cover the tag - captures all attributes, resulting in the vulnerability Proof of Concept Impact Attackers can track email opens even when users have disabled remote image loading. User IP addresses and browser fingerprinting data may be logged. Mitigation Upgrade Roundcube to version 1.5.13 or 1.6.13.