Hi Guilhem, On Sun, Feb 08, 2026 at 11:41:28PM +0100, Guilhem Moulin wrote: > * Remote image blocking bypass via SVG content reported by nullcathedral. > > https://github.com/roundcube/roundcubemail/commit/036e851b683333205813f70acda2dc047b4891c8
This one got a CVE assigned, assuming the reporter did request it accordingly: CVE-2026-25916 There is a blog post about it: https://nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/ The first one AFAIU, has not yet a CVE. Regards, Salvatore
