Security researchers have uncovered a critical vulnerability in Roundcube Webmail that allows attackers to bypass email tracking protections using SVG filter elements. The flaw affects versions earlier than 1.5.13 and 1.6.13, enabling remote image loading even when users have enabled "Block remote images" settings. The vulnerability stems from inconsistent sanitization logic that treats SVG `<feImage>` elements differently from standard image tags.

Roundcube's `rcube_washtml` sanitizer was designed to block external resources on `<img>`, `<image>`, and `<use>` elements by routing their `href` attributes through `is_image_attribute()`, which blocks remote URLs. However, the sanitizer incorrectly routed `<feImage>` attributes through `wash_link()`, which allows HTTP/HTTPS URLs. This oversight meant that attackers could confirm email opens, log IP addresses, and fingerprint browsers even when users thought their privacy settings were active.

The vulnerability was discovered during a security audit when researchers noticed that SVG-based XSS fixes via the `animate` tag suggested other SVG elements might also have been overlooked. The technical flaw exists in how the sanitizer checks attributes - `is_image_attribute()` only matches `href` on `use` and `image` elements, missing `feimage`. Meanwhile, `is_link_attribute()` serves as a catch-all that returns true for any `href` attribute.

The issue has been patched in versions 1.5.13 and 1.6.13, with the fix consolidating the `use`/`image` checks into a single regex that includes `feimage`. Users should update immediately to protect against potential email tracking attacks. The discovery highlights how complex SVG specifications can create security gaps when sanitization logic doesn't account for all elements.

Quick Fact: The vulnerability was publicly disclosed on February 8, 2026, alongside the release of patched versions 1.5.13 and 1.6.13.