Roundcube Webmail: SVG feImage bypasses image blocking to track email opens
nullcathedral Sunday, February 08, 2026
Summary
This article discusses a vulnerability in Roundcube, a popular webmail client, where an attacker could bypass the remote image loading restrictions using SVG's `<feImage>` element. The vulnerability could potentially allow the attacker to read sensitive information from the victim's device.
94
21
Summary
nullcathedral.com