Roundcube Patches Critical Privacy Bypass Vulnerability in Webmail Software Roundcube, a widely used open-source webmail platform, has released urgent security updates to fix a privacy bypass flaw that allowed attackers to track email opens despite user settings blocking remote images. The vulnerability, disclosed by security researchers at NULL CATHEDRAL on February 8, 2026, affects all versions prior to 1.5.13 and 1.6.x versions before 1.6.13. The issue stemmed from a flaw in Roundcube’s HTML sanitizer, rcube_washtml, which failed to recognize the SVG element `<feImage>` as an image container. While the sanitizer blocked standard image tags (e.g., `<img>`), it treated `<feImage>` an SVG filter primitive that fetches external resources via the `href` attribute as a regular hyperlink. This allowed attackers to embed invisible 1×1 SVGs in emails, triggering automatic GET requests to attacker-controlled servers when the email was rendered. Exploiting this flaw enabled threat actors to: - Confirm active email addresses. - Log recipients’ IP addresses. - Fingerprint browsers and devices. The patch, implemented in commit 26d7677, updates the sanitizer’s regex logic to explicitly block `<feImage>` alongside other image-related tags. Administrators of self-hosted Roundcube instances are advised to upgrade to 1.5.13 or 1.6.13 to mitigate the risk.

Over 84,000 Roundcube webmail installations are vulnerable to CVE-2025-49113, a critical remote code execution (RCE) flaw with a public exploit. The flaw, which impacts Roundcube versions 1.1.0 through 1.6.10, was patched on June 1, 2025. Hackers have reverse-engineered the patch to develop a working exploit, sold on underground forums. The vulnerability stems from unsanitized $_GET['_from'] input, enabling PHP object deserialization and session corruption. Although exploitation requires authentication, attackers claim valid credentials can be obtained via CSRF, log scraping, or brute-forcing. The high risk of exploitation and potential for data theft make the exposure of these instances a significant cybersecurity risk.