LogicalBreach Academy

SVG filter primitives bypass remote image blocking, enabling email tracking without consent. | Free Bug Bounty Writeup | LogicalBreach Academy

Writeups Cheatsheets Tools Collections Authors Noc Pricing

Back

Privacy Violation (CWE-359)CVSS 4.3Medium

SVG filter primitives bypass remote image blocking, enabling email tracking without consent.

hackerone-reports

April 21, 2026

0 views

Save

€0

Vulnerability Summary

HackerOne disclosed report --> https://hackerone.com/reports/3486747 by nullcathedral

Summary:

When allow_remote is set to false, Roundcube's HTML sanitizer https://github.com/roundcube/roundcubemail/blob/5162a0d9d7b05728500375611a2fb4fc55844c7c/program/lib/Roundcube/rcube_washtml.php blocks external resources in <img>, <image>, and <use> tags by checking their src/href attributes through is_image_attribute().

However, the <feImage> SVG filter primitive is allowlisted as an element but its href attribute is not recognized as an image source. Instead, it passes through wash_link() which permits external HTTP/HTTPS URLs.

Steps To Reproduce:

Step 1: Send an HTML e-mail with embedded SVG

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

hackerone-reports

€13,553 Documented

Profile →

Discussion

No comments yet.

Be the first to share your thoughts

Premium writeups about bug bounty hunting and web security.
Written by real security researchers.

Navigation

Writeups Cheatsheets Tools Authors Noc Pricing

Contactcontact@logicalbreach.com

RSS FeedPrivacy PolicyTerms of Service