SVG filter primitives bypass remote image blocking, enabling email tracking without consent.

Bug reported by _NULL was disclosed at April 20, 2026, 12:57 pm   |   Privacy Violation

A vulnerability was discovered in the HTML sanitizer of the Roundcube webmail application. The sanitizer did not properly handle the `` SVG filter primitive, allowing external resources to be loaded even when the "Block remote images" setting was enabled. This vulnerability could be used to track email opens and obtain the recipient's IP address without the user's consent.

position: fixed !important bypasses CSS sanitizer's fixed-position mitigation, enabling full-viewport phishing overlays.

Bug reported by _NULL was disclosed at April 20, 2026, 12:04 pm   |   Resource Injection

A vulnerability was discovered in the CSS sanitization process of the Roundcube webmail application. The sanitizer failed to properly handle the "position: fixed !important" CSS declaration, allowing an attacker to bypass the mitigation for fixed-position overlays. This could enable the creation of full-viewport phishing overlays.

Unquoted body background attribute enables CSS injection that bypasses remote image blocking

Bug reported by _NULL was disclosed at April 20, 2026, 12:03 pm   |   Resource Injection

A vulnerability was discovered in Roundcube's HTML sanitizer that enabled CSS injection when the `allow_remote` option was set to `false`. The sanitizer failed to quote the value of the `background` attribute from the email's `` element, allowing a crafted `data:` URI to terminate the `url()` function and inject arbitrary CSS properties. This bypass allowed external resources to be loaded even when remote image blocking was enabled.

SMIL values and by attributes bypass remote image blocking via unvalidated resource-loading animations, enabling email tracking without consent

Bug reported by _NULL was disclosed at April 20, 2026, 12:03 pm   |   Remote File Inclusion

A vulnerability was discovered in the HTML sanitizer of the Roundcube webmail client. The vulnerability allowed attackers to bypass the "Block remote images" security feature by using SMIL animation attributes to load arbitrary external resources without validation. This could have enabled email tracking without the user's consent.