⚠️ Roundcube Webmail <1.5.13 / <1.6.13 allows attackers to force remote image loads via SVG feImage
「 Roundcube’s rcube_washtml sanitizer blocked external resources on <img>, <image>, and <use>, but not on <feImage>. Its href went through the wrong code path and got allowed through. Attackers could track email opens even when “Block remote images” was on. Fixed in 1.5.13 and 1.6.13 」
https://nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/
