A security vulnerability was discovered in Roundcube Webmail's sanitizer, specifically within the rcube_washtml class, which allowed attackers to bypass the 'Block remote images' privacy feature. While the sanitizer correctly blocked external resources for common tags like <img> and <use>, it failed to properly handle the SVG <feImage> element. Because its href attribute was routed through a link-washing function instead of the image-validation path, external URLs were permitted. This flaw allowed unauthorized tracking of users, enabling attackers to log IP addresses and confirm email opens by embedding invisible SVG filters. The issue has been addressed in versions 1.5.13 and 1.6.13 by ensuring <feImage> is correctly categorized as an image-bearing attribute during the validation process.