alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Roundcube Webmail SVG feImage Remote Image Bypass (CVE-2026-25916)"; flow:established,to_server; content:"|3c|svg"; content:"|3c|feImage|20|"; fast_pattern; distance:0; content:"href|3d 22|"; distance:0; pcre:"/\x3csvg(?:(?!\x3e\x2fsvg).)+\x3cfeImage\x20[^\x3e]*?href\x3d\x22(?:[a-z]+\x3a\x2f{2}|\x5c{2})/"; reference:url,nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/; reference:cve,2026-25916; classtype:web-application-attack; sid:2067446; rev:1; metadata:affected_product Roundcube, attack_target Server, created_at 2026_02_10, cve CVE_2026_25916, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2026_02_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)