CVE-2026-25916
MEDIUMRoundcube Webmail <1.5.13 & <1.6.13 - XSS
Title source: llmDescription
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.
Exploits (2)
github
WORKING POC
10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-25916
nomisec
WORKING POC
1 stars
by mbanyamer · poc
https://github.com/mbanyamer/CVE-2026-25916-Roundcube-Webmail-DOM-based-XSS-Exploit-via-SVG-href-Attribute
Scores
CVSS v3
4.3
EPSS
0.0004
EPSS Percentile
11.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Details
CWE
CWE-420
Status
published
Products (2)
Roundcube/Webmail
< 1.5.13
Roundcube/Webmail
1.6.0 - 1.6.13
Published
Feb 09, 2026
Tracked Since
Feb 18, 2026