Roundcube Webmail before 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document.
