This vulnerability in Roundcube Webmail affects versions prior to 1.5.15 and 1.6.15. The issue arises because the remote image blocking feature can be circumvented by embedding SVG content with animate elements targeting fill, filter, or stroke attributes. This bypass enables attackers to potentially disclose information or bypass access controls by leveraging the SVG animation capabilities within email content. The CVSS score is 5.3 (medium severity), indicating a network attack vector with low complexity and no privileges or user interaction required. The vulnerability is classified under CWE-669, which relates to incorrect resource transfer between spheres.

Successful exploitation may allow attackers to bypass remote image blocking controls in Roundcube Webmail, potentially leading to unauthorized information disclosure or access-control bypass. The impact does not include confidentiality loss but involves integrity concerns. There are no reports of active exploitation in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided, users should monitor Roundcube's official channels for updates. Until a patch is available, consider applying temporary mitigations such as disabling SVG rendering in emails if feasible or restricting email content types to reduce exposure.