https://nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/
NULL CATHEDRAL
Roundcube Webmail <1.5.13 / <1.6.13 allows attackers to force remote image loads via SVG feImage
Roundcube's HTML sanitizer doesn't treat SVG feImage href as an image source. Attackers can bypass remote image blocking to track email opens. (CVE-2026-25916)
