diff --git a/appinfo/routes.php b/appinfo/routes.php
index 411af41b6a..5e65106a29 100644
--- a/appinfo/routes.php
+++ b/appinfo/routes.php
@@ -305,6 +305,11 @@
 			'url' => '/proxy',
 			'verb' => 'GET'
 		],
+		[
+			'name' => 'imageProxy#fetch',
+			'url' => '/api/image/proxy',
+			'verb' => 'GET'
+		],
 		[
 			'name' => 'settings#index',
 			'url' => '/api/settings/provisioning',
diff --git a/lib/Controller/ImageProxyController.php b/lib/Controller/ImageProxyController.php
new file mode 100644
index 0000000000..8235280b26
--- /dev/null
+++ b/lib/Controller/ImageProxyController.php
@@ -0,0 +1,170 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Mail\Controller;
+
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\OpenAPI;
+use OCP\AppFramework\Http\Attribute\UserRateLimit;
+use OCP\AppFramework\Http\JSONResponse;
+use OCP\Files\IMimeTypeDetector;
+use OCA\Mail\Service\SvgSanitizer;
+use OCP\Http\Client\IClientService;
+use OCP\Http\Client\LocalServerException;
+use OCP\IRequest;
+use OCP\Security\IRemoteHostValidator;
+use Psr\Http\Client\ClientExceptionInterface;
+use Psr\Log\LoggerInterface;
+use function base64_encode;
+use function fclose;
+use function feof;
+use function fread;
+use function in_array;
+use function is_resource;
+use function ltrim;
+use function parse_url;
+use function str_starts_with;
+use function stripos;
+use function strlen;
+
+/**
+ * Downloads an external image server-side so it can be embedded into a composed
+ * message or a signature as a data: URI.
+ *
+ * Loading external images directly in the browser is blocked by the app's
+ * Content Security Policy, so the user provides a URL, the server fetches it
+ * once (with the platform's SSRF protection) and returns the bytes as a data:
+ * URI. The image is later turned into an inline CID attachment when the message
+ * is sent, see {@see \OCA\Mail\Service\MimeMessage::extractDataUriImages()}.
+ */
+#[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)]
+class ImageProxyController extends Controller {
+	/**
+	 * Hard cap on the downloaded image size to avoid exhausting memory and to
+	 * keep outgoing messages within sane limits.
+	 */
+	private const MAX_IMAGE_SIZE = 10 * 1024 * 1024;
+
+	/**
+	 * Image types that browsers can render in an <img> tag and that are safe to
+	 * embed.
+	 */
+	private const ALLOWED_MIME_TYPES = [
+		'image/png',
+		'image/jpeg',
+		'image/gif',
+		'image/webp',
+		'image/bmp',
+		'image/svg+xml',
+	];
+
+	public function __construct(
+		string $appName,
+		IRequest $request,
+		private IClientService $clientService,
+		private IRemoteHostValidator $remoteHostValidator,
+		private IMimeTypeDetector $mimeTypeDetector,
+		private SvgSanitizer $svgSanitizer,
+		private LoggerInterface $logger,
+	) {
+		parent::__construct($appName, $request);
+	}
+
+	/**
+	 * Fetch an external image and return it as a data: URI.
+	 *
+	 * @NoAdminRequired
+	 * @UserRateThrottle(limit=50, period=60)
+	 */
+	#[UserRateLimit(limit: 50, period: 60)]
+	public function fetch(string $url): JSONResponse {
+		$scheme = parse_url($url, PHP_URL_SCHEME);
+		if ($scheme !== 'http' && $scheme !== 'https') {
+			return new JSONResponse(['message' => 'Invalid URL'], Http::STATUS_BAD_REQUEST);
+		}
+
+		// Reject internal/local hosts up front (SSRF). The client throwing a
+		// LocalServerException below additionally guards against redirects.
+		if (!$this->remoteHostValidator->isValid($url)) {
+			return new JSONResponse(['message' => 'Forbidden URL'], Http::STATUS_FORBIDDEN);
+		}
+
+		$client = $this->clientService->newClient();
+		try {
+			$response = $client->get($url, [
+				'timeout' => 10,
+				'stream' => true,
+			]);
+		} catch (LocalServerException $e) {
+			$this->logger->warning('Blocked image insert from forbidden URL', [
+				'exception' => $e,
+			]);
+			return new JSONResponse(['message' => 'Forbidden URL'], Http::STATUS_FORBIDDEN);
+		} catch (ClientExceptionInterface $e) {
+			$this->logger->info('Could not fetch image to insert', [
+				'exception' => $e,
+			]);
+			return new JSONResponse(['message' => 'Could not fetch image'], Http::STATUS_BAD_GATEWAY);
+		}
+
+		$body = $response->getBody();
+		if (!is_resource($body)) {
+			return new JSONResponse(['message' => 'Could not fetch image'], Http::STATUS_BAD_GATEWAY);
+		}
+
+		// Read the response incrementally to enforce the size limit without
+		// buffering arbitrarily large responses in memory.
+		$content = '';
+		while (!feof($body)) {
+			$chunk = fread($body, 8192);
+			if ($chunk === false) {
+				break;
+			}
+			$content .= $chunk;
+			if (strlen($content) > self::MAX_IMAGE_SIZE) {
+				fclose($body);
+				return new JSONResponse(['message' => 'Image too large'], Http::STATUS_REQUEST_ENTITY_TOO_LARGE);
+			}
+		}
+		fclose($body);
+
+		// Detect the type from the actual bytes instead of trusting the remote
+		// Content-Type header.
+		$mimeType = $this->mimeTypeDetector->detectString($content);
+
+		// finfo frequently reports SVG (which is plain XML) as a text/* type, so
+		// fall back to sniffing the markup to support SVG logos.
+		if ($mimeType !== 'image/svg+xml' && $this->looksLikeSvg($content)) {
+			$mimeType = 'image/svg+xml';
+		}
+
+		if (!in_array($mimeType, self::ALLOWED_MIME_TYPES, true)) {
+			return new JSONResponse(['message' => 'Unsupported image type'], Http::STATUS_UNSUPPORTED_MEDIA_TYPE);
+		}
+
+		if ($mimeType === 'image/svg+xml') {
+			$content = $this->svgSanitizer->sanitize($content);
+		}
+
+		$dataUri = 'data:' . $mimeType . ';base64,' . base64_encode($content);
+		return new JSONResponse(['data' => $dataUri]);
+	}
+
+	/**
+	 * Heuristically decide whether the given bytes are an SVG document.
+	 */
+	private function looksLikeSvg(string $content): bool {
+		$start = ltrim($content);
+		$hasSvgRoot = str_starts_with($start, '<?xml')
+			|| str_starts_with($start, '<!--')
+			|| stripos($start, '<svg') === 0;
+		return $hasSvgRoot && stripos($content, '<svg') !== false;
+	}
+}
diff --git a/lib/Controller/ProxyController.php b/lib/Controller/ProxyController.php
index 3b44a15254..812037b4f2 100644
--- a/lib/Controller/ProxyController.php
+++ b/lib/Controller/ProxyController.php
@@ -13,6 +13,7 @@
 use OCA\Mail\Html\ProxyHmacGenerator;
 use OCA\Mail\Http\ProxyDownloadResponse;
 use OCA\Mail\Service\MailManager;
+use OCA\Mail\Service\SvgSanitizer;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Http;
@@ -28,6 +29,9 @@
 use Psr\Log\LoggerInterface;
 use function file_get_contents;
 use function hash_equals;
+use function ltrim;
+use function stripos;
+use function str_starts_with;
 
 #[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)]
 class ProxyController extends Controller {
@@ -37,6 +41,7 @@ class ProxyController extends Controller {
 	private LoggerInterface $logger;
 	private ProxyHmacGenerator $hmacGenerator;
 	private MailManager $mailManager;
+	private SvgSanitizer $svgSanitizer;
 	private ?string $userId;
 
 	public function __construct(string $appName,
@@ -47,6 +52,7 @@ public function __construct(string $appName,
 		ProxyHmacGenerator $hmacGenerator,
 		LoggerInterface $logger,
 		MailManager $mailManager,
+		SvgSanitizer $svgSanitizer,
 		?string $userId) {
 		parent::__construct($appName, $request);
 		$this->request = $request;
@@ -56,6 +62,7 @@ public function __construct(string $appName,
 		$this->logger = $logger;
 		$this->hmacGenerator = $hmacGenerator;
 		$this->mailManager = $mailManager;
+		$this->svgSanitizer = $svgSanitizer;
 		$this->userId = $userId;
 	}
 
@@ -112,6 +119,29 @@ public function proxy(string $src, ?int $id, ?string $hmac): Response {
 			$content = file_get_contents(__DIR__ . '/../../img/blocked-image.png');
 		}
 
+		$content = (string)$content;
+
+		// Browsers sniff raster image formats in <img> tags, but they refuse to
+		// render SVG unless it is served with the image/svg+xml content type.
+		// Detect and sanitise SVG markup so external SVG logos are displayed
+		// instead of staying blank. Sanitising also strips any active content in
+		// case the response is fetched through a direct (non-<img>) navigation.
+		if ($this->looksLikeSvg($content)) {
+			$content = $this->svgSanitizer->sanitize($content);
+			return new ProxyDownloadResponse($content, $src, 'image/svg+xml');
+		}
+
 		return new ProxyDownloadResponse($content, $src, 'application/octet-stream');
 	}
+
+	/**
+	 * Heuristically decide whether the given bytes are an SVG document.
+	 */
+	private function looksLikeSvg(string $content): bool {
+		$start = ltrim($content);
+		$hasSvgPrologue = str_starts_with($start, '<?xml')
+			|| str_starts_with($start, '<!--')
+			|| stripos($start, '<svg') === 0;
+		return $hasSvgPrologue && stripos($content, '<svg') !== false;
+	}
 }
diff --git a/lib/Service/AntiSpamService.php b/lib/Service/AntiSpamService.php
index 3bbd51ecff..1f458d5c7d 100644
--- a/lib/Service/AntiSpamService.php
+++ b/lib/Service/AntiSpamService.php
@@ -155,7 +155,8 @@ public function sendReportEmail(Account $account, Mailbox $mailbox, int $uid, st
 		$mail->addHeaders($headers);
 
 		$mimeMessage = new MimeMessage(
-			new DataUriParser()
+			new DataUriParser(),
+			new SvgSanitizer(),
 		);
 
 		$mimePart = $mimeMessage->build(
diff --git a/lib/Service/Html.php b/lib/Service/Html.php
index d56e8f1448..5e37eea584 100755
--- a/lib/Service/Html.php
+++ b/lib/Service/Html.php
@@ -154,6 +154,15 @@ public function sanitizeHtmlMailBody(int $messageId, string $mailBody, array $in
 		// Rewrite URL for redirection and proxying of content
 		/** @var HTMLPurifier_HTMLDefinition $def */
 		$def = $config->getHTMLDefinition(true);
+
+		// HTMLPurifier defaults to an HTML 4.01 schema which does not know the
+		// HTML5 <figure>/<figcaption> elements. Without registering them the
+		// figure wrappers are stripped and the contained images collapse from
+		// stacked blocks into inline siblings (rendered side by side). Editors
+		// such as CKEditor wrap images in figures, so keep them as block elements.
+		$def->addElement('figure', 'Block', 'Flow', 'Common');
+		$def->addElement('figcaption', 'Block', 'Flow', 'Common');
+
 		$def->info_attr_transform_post['imagesrc'] = new TransformImageSrc($this->urlGenerator);
 		$def->info_attr_transform_post['cssbackground'] = new TransformStyleURLs($this->urlGenerator);
 		$def->info_attr_transform_post['htmllinks'] = new TransformHTMLLinks();
diff --git a/lib/Service/MailTransmission.php b/lib/Service/MailTransmission.php
index ad5a4d2a1b..ac87ff41ec 100644
--- a/lib/Service/MailTransmission.php
+++ b/lib/Service/MailTransmission.php
@@ -133,7 +133,8 @@ public function sendMessage(Account $account, LocalMessage $localMessage): void
 		$mail->addHeaders($headers);
 
 		$mimeMessage = new MimeMessage(
-			new DataUriParser()
+			new DataUriParser(),
+			new SvgSanitizer(),
 		);
 		$mimePart = $mimeMessage->build(
 			$localMessage->getBodyPlain(),
diff --git a/lib/Service/MimeMessage.php b/lib/Service/MimeMessage.php
index 1188d18500..abffd2e593 100644
--- a/lib/Service/MimeMessage.php
+++ b/lib/Service/MimeMessage.php
@@ -20,9 +20,11 @@
 
 class MimeMessage {
 	private DataUriParser $uriParser;
+	private SvgSanitizer $svgSanitizer;
 
-	public function __construct(DataUriParser $uriParser) {
+	public function __construct(DataUriParser $uriParser, SvgSanitizer $svgSanitizer) {
 		$this->uriParser = $uriParser;
+		$this->svgSanitizer = $svgSanitizer;
 	}
 
 	/**
@@ -82,6 +84,8 @@ private function buildMessagePart(?string $contentPlain, ?string $contentHtml, a
 			$doc = Parser::parseToDomDocument($source);
 			array_push($inlineAttachments, ...$this->extractDataUriImages($doc));
 			$this->rewriteSrcToCid($doc);
+			$this->normalizeImageDimensions($doc);
+			$this->normalizeImageAlignment($doc);
 			$htmlContent = $doc->saveHTML();
 
 			$htmlPart = new Horde_Mime_Part();
@@ -172,10 +176,19 @@ private function extractDataUriImages(DOMDocument $doc): array {
 			$part->setCharset($dataUri->getParameters()['charset']);
 			$part->setName('embedded_image_' . $id);
 			$part->setDisposition('inline');
-			if ($dataUri->isBase64()) {
+			if ($dataUri->getMediaType() === 'image/svg+xml') {
+				// Strip any active content from SVGs before they are sent.
+				$raw = $dataUri->isBase64()
+					? base64_decode($dataUri->getData(), true)
+					: rawurldecode($dataUri->getData());
 				$part->setTransferEncoding('base64');
+				$part->setContents(base64_encode($this->svgSanitizer->sanitize($raw === false ? '' : $raw)));
+			} else {
+				if ($dataUri->isBase64()) {
+					$part->setTransferEncoding('base64');
+				}
+				$part->setContents($dataUri->getData());
 			}
-			$part->setContents($dataUri->getData());
 
 			$cid = $part->setContentId();
 			$parts[] = $part;
@@ -185,6 +198,106 @@ private function extractDataUriImages(DOMDocument $doc): array {
 		return $parts;
 	}
 
+	/**
+	 * Mirrors pixel dimensions set via the editor's resize feature (stored as
+	 * inline CSS) onto the width/height attributes. Many email clients drop
+	 * inline styles and classes but honour these attributes, so without them a
+	 * resized image would fall back to its (often huge) natural size.
+	 */
+	private function normalizeImageDimensions(DOMDocument $doc): void {
+		foreach ($doc->getElementsByTagName('img') as $image) {
+			if (!($image instanceof DOMElement)) {
+				continue;
+			}
+
+			// The editor stores the resize width as inline CSS. For inline images
+			// it lives on the <img>; for block images it lives on the wrapping
+			// <figure> while the aspect ratio stays on the <img>. A linked image
+			// is nested one level deeper (<figure><a><img></a></figure>), so walk
+			// up the ancestors to find the figure rather than only checking the
+			// direct parent. Inspect both the image's and the figure's style.
+			$figureStyle = '';
+			$ancestor = $image->parentNode;
+			while ($ancestor instanceof DOMElement) {
+				if (strtolower($ancestor->tagName) === 'figure') {
+					$figureStyle = $ancestor->getAttribute('style');
+					break;
+				}
+				$ancestor = $ancestor->parentNode;
+			}
+			$style = $image->getAttribute('style') . ';' . $figureStyle;
+
+			if (preg_match('/(?<![-\w])width:\s*([\d.]+)px/i', $style, $widthMatch) !== 1) {
+				continue;
+			}
+
+			$width = (int)round((float)$widthMatch[1]);
+			if ($width <= 0) {
+				continue;
+			}
+			$image->setAttribute('width', (string)$width);
+
+			// Derive the height from the aspect ratio the editor stores so clients
+			// that ignore CSS keep the correct proportions.
+			if (preg_match('#aspect-ratio:\s*([\d.]+)\s*/\s*([\d.]+)#i', $style, $ratioMatch) === 1) {
+				$ratioWidth = (float)$ratioMatch[1];
+				$ratioHeight = (float)$ratioMatch[2];
+				if ($ratioWidth > 0.0 && $ratioHeight > 0.0) {
+					$height = (int)round($width * $ratioHeight / $ratioWidth);
+					if ($height > 0) {
+						$image->setAttribute('height', (string)$height);
+					}
+				}
+			}
+		}
+	}
+
+	/**
+	 * Translates the editor's image-alignment classes into inline styles on the
+	 * wrapping <figure>. The editor expresses alignment through CSS classes
+	 * backed by its own stylesheet, which recipients do not load. Without
+	 * inlining, every client falls back to its own default rendering of a bare
+	 * <figure> (some left-align it, others centre it), so even the unstyled
+	 * default must be made explicit to render consistently everywhere.
+	 *
+	 * A block image is positioned by the auto margins of its (width-constrained)
+	 * <figure> box, exactly like the editor does it; text-align additionally
+	 * aligns the image inside a figure that spans the full width. Physical
+	 * margins are used because the Word engine behind Outlook ignores the
+	 * logical margin-inline shorthand.
+	 */
+	private function normalizeImageAlignment(DOMDocument $doc): void {
+		$alignments = [
+			'image-style-align-center' => 'margin-left: auto; margin-right: auto; text-align: center;',
+			'image-style-block-align-right' => 'margin-left: auto; margin-right: 0; text-align: right;',
+			'image-style-block-align-left' => 'margin-left: 0; margin-right: auto; text-align: left;',
+		];
+		// The unstyled state is the editor's left-aligned default.
+		$default = 'margin-left: 0; margin-right: auto; text-align: left;';
+
+		foreach ($doc->getElementsByTagName('figure') as $figure) {
+			if (!($figure instanceof DOMElement)) {
+				continue;
+			}
+
+			$classes = $figure->getAttribute('class');
+			if (!str_contains($classes, 'image')) {
+				continue;
+			}
+
+			$alignment = $default;
+			foreach ($alignments as $class => $style) {
+				if (str_contains($classes, $class)) {
+					$alignment = $style;
+					break;
+				}
+			}
+
+			$style = rtrim(trim($figure->getAttribute('style')), ';');
+			$figure->setAttribute('style', ($style === '' ? '' : $style . '; ') . $alignment);
+		}
+	}
+
 	/**
 	 * Rewrites src attributes of img elements that carry a data-cid attribute
 	 * back to their cid: reference, as required by the MIME structure for
diff --git a/lib/Service/SvgSanitizer.php b/lib/Service/SvgSanitizer.php
new file mode 100644
index 0000000000..602ab1a00c
--- /dev/null
+++ b/lib/Service/SvgSanitizer.php
@@ -0,0 +1,105 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Mail\Service;
+
+use DOMAttr;
+use DOMDocument;
+use DOMElement;
+use DOMXPath;
+
+/**
+ * Removes active content from SVG markup before it is embedded into or sent
+ * with a message. SVGs are rendered in an <img>/CID context where scripts do
+ * not execute, but they are still sanitised as defence in depth: any document
+ * that cannot be parsed safely is dropped entirely.
+ */
+class SvgSanitizer {
+	/** Elements that can carry or execute active content. */
+	private const FORBIDDEN_ELEMENTS = [
+		'script',
+		'foreignObject',
+		'handler',
+		'listener',
+		'set',
+	];
+
+	/**
+	 * @param string $svg The raw (decoded) SVG markup
+	 * @return string The sanitised markup, or an empty string if it cannot be
+	 *                parsed safely
+	 */
+	public function sanitize(string $svg): string {
+		if (trim($svg) === '') {
+			return '';
+		}
+
+		// A DOCTYPE or entity declaration is not needed for plain SVG graphics
+		// and is a common XXE / entity-expansion vector. Reject such documents.
+		if (preg_match('/<!DOCTYPE|<!ENTITY/i', $svg) === 1) {
+			return '';
+		}
+
+		$dom = new DOMDocument();
+		$previousErrors = libxml_use_internal_errors(true);
+		// LIBXML_NONET forbids any network access while parsing.
+		$loaded = $dom->loadXML($svg, LIBXML_NONET);
+		libxml_clear_errors();
+		libxml_use_internal_errors($previousErrors);
+
+		if (!$loaded || $dom->documentElement === null) {
+			return '';
+		}
+
+		$xpath = new DOMXPath($dom);
+
+		// Remove dangerous elements. Matching on the local name catches them
+		// regardless of any namespace prefix (e.g. <x:script>).
+		foreach (self::FORBIDDEN_ELEMENTS as $tag) {
+			$nodes = $xpath->query('//*[local-name() = "' . $tag . '"]');
+			if ($nodes !== false) {
+				foreach (iterator_to_array($nodes) as $node) {
+					$node->parentNode?->removeChild($node);
+				}
+			}
+		}
+
+		$elements = $xpath->query('//*');
+		if ($elements !== false) {
+			foreach ($elements as $element) {
+				if ($element instanceof DOMElement) {
+					$this->stripDangerousAttributes($element);
+				}
+			}
+		}
+
+		$result = $dom->saveXML($dom->documentElement);
+		return $result === false ? '' : $result;
+	}
+
+	private function stripDangerousAttributes(DOMElement $element): void {
+		/** @var DOMAttr $attribute */
+		foreach (iterator_to_array($element->attributes) as $attribute) {
+			$name = strtolower($attribute->nodeName);
+			$value = trim($attribute->nodeValue ?? '');
+
+			// Inline event handlers (onload, onclick, …).
+			if (str_starts_with($name, 'on')) {
+				$element->removeAttributeNode($attribute);
+				continue;
+			}
+
+			// Only allow same-document references; strip javascript:, external
+			// and data: URLs from links and resource references.
+			if (in_array($name, ['href', 'xlink:href'], true) && !str_starts_with($value, '#')) {
+				$element->removeAttributeNode($attribute);
+			}
+		}
+	}
+}
diff --git a/src/ckeditor/image/ImageAlignmentPlugin.js b/src/ckeditor/image/ImageAlignmentPlugin.js
new file mode 100644
index 0000000000..60bd8f2e8e
--- /dev/null
+++ b/src/ckeditor/image/ImageAlignmentPlugin.js
@@ -0,0 +1,69 @@
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import alignCenterIcon from '@mdi/svg/svg/format-align-center.svg?raw'
+import alignLeftIcon from '@mdi/svg/svg/format-align-left.svg?raw'
+import alignRightIcon from '@mdi/svg/svg/format-align-right.svg?raw'
+import { translate as t } from '@nextcloud/l10n'
+import { addToolbarToDropdown, createDropdown, Plugin } from 'ckeditor5'
+
+const ALIGNMENT_BUTTONS = [
+	'imageStyle:alignBlockLeft',
+	'imageStyle:alignCenter',
+	'imageStyle:alignBlockRight',
+]
+
+/**
+ * Registers an "imageAlignment" toolbar item that groups the image alignment
+ * options into a single dropdown button — the whole button opens the menu,
+ * exactly like the text-alignment dropdown. CKEditor's built-in image-style
+ * grouping renders a split button instead (with a separately hoverable arrow),
+ * which is what this plugin replaces.
+ */
+export default class ImageAlignmentPlugin extends Plugin {
+	static get pluginName() {
+		return 'ImageAlignmentPlugin'
+	}
+
+	init() {
+		const editor = this.editor
+		const factory = editor.ui.componentFactory
+
+		factory.add('imageAlignment', (locale) => {
+			const dropdown = createDropdown(locale)
+			const buttons = ALIGNMENT_BUTTONS.map((name) => factory.create(name))
+
+			addToolbarToDropdown(dropdown, buttons, {
+				enableActiveItemFocusOnDropdownOpen: true,
+			})
+
+			dropdown.buttonView.set({
+				label: t('mail', 'Align image'),
+				icon: alignLeftIcon,
+				tooltip: true,
+			})
+
+			// Reflect the current alignment on the toolbar button, like the text
+			// alignment dropdown does.
+			const command = editor.commands.get('imageStyle')
+			if (command) {
+				dropdown.buttonView.bind('icon').to(command, 'value', (value) => {
+					if (value === 'alignCenter') {
+						return alignCenterIcon
+					}
+					if (value === 'alignBlockRight') {
+						return alignRightIcon
+					}
+					return alignLeftIcon
+				})
+			}
+
+			// Only enable the dropdown while an alignment option is available.
+			dropdown.bind('isEnabled').toMany(buttons, 'isEnabled', (...enabled) => enabled.some(Boolean))
+
+			return dropdown
+		})
+	}
+}
diff --git a/src/ckeditor/image/ImageDropdownPlugin.js b/src/ckeditor/image/ImageDropdownPlugin.js
new file mode 100644
index 0000000000..bf805c3ee4
--- /dev/null
+++ b/src/ckeditor/image/ImageDropdownPlugin.js
@@ -0,0 +1,72 @@
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import folderIcon from '@mdi/svg/svg/folder-image.svg?raw'
+import imageIcon from '@mdi/svg/svg/image.svg?raw'
+import linkIcon from '@mdi/svg/svg/link-variant.svg?raw'
+import uploadIcon from '@mdi/svg/svg/upload.svg?raw'
+import { translate as t } from '@nextcloud/l10n'
+import { ButtonView, createDropdown, Plugin } from 'ckeditor5'
+
+/**
+ * Toolbar dropdown to insert an image, offering three options: uploading a file
+ * from the computer, picking one from the Nextcloud files, or fetching one by
+ * URL. Each option only fires an event; the surrounding Vue component
+ * (TextEditor) performs the actual work.
+ */
+export default class ImageDropdownPlugin extends Plugin {
+	init() {
+		const editor = this.editor
+
+		editor.ui.componentFactory.add('imageDropdown', (locale) => {
+			const dropdown = createDropdown(locale)
+			dropdown.class = 'mail-image-insert-dropdown'
+			dropdown.buttonView.set({
+				label: t('mail', 'Insert image'),
+				icon: imageIcon,
+				tooltip: true,
+			})
+
+			const fire = (event) => () => {
+				dropdown.isOpen = false
+				editor.fire(event)
+			}
+
+			dropdown.panelView.children.add(this._createActionButton(
+				locale,
+				t('mail', 'Upload from computer'),
+				uploadIcon,
+				fire('mail:uploadImageFromComputer'),
+			))
+			dropdown.panelView.children.add(this._createActionButton(
+				locale,
+				t('mail', 'Insert with file manager'),
+				folderIcon,
+				fire('mail:insertImageFromFiles'),
+			))
+			dropdown.panelView.children.add(this._createActionButton(
+				locale,
+				t('mail', 'Insert via URL'),
+				linkIcon,
+				fire('mail:insertImageFromUrl'),
+			))
+
+			return dropdown
+		})
+	}
+
+	_createActionButton(locale, label, icon, onExecute) {
+		const button = new ButtonView(locale)
+		button.set({
+			label,
+			icon,
+			tooltip: false,
+			withText: true,
+			isEnabled: true,
+		})
+		button.on('execute', onExecute)
+		return button
+	}
+}
diff --git a/src/ckeditor/image/ImageLinkFormPlugin.js b/src/ckeditor/image/ImageLinkFormPlugin.js
new file mode 100644
index 0000000000..0861d73091
--- /dev/null
+++ b/src/ckeditor/image/ImageLinkFormPlugin.js
@@ -0,0 +1,53 @@
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import { Plugin } from 'ckeditor5'
+
+/**
+ * Adjusts the link form when it is opened for an image. An image link has no
+ * "displayed text" (the image itself is the link content), so that input is
+ * hidden to avoid confusion. Dismissing the link balloon while the image stays
+ * selected returns to the image toolbar, which gives the same "back to the
+ * image menu" navigation as the text-alternative form.
+ *
+ * The implementation only reads CKEditor's public API and toggles a DOM style;
+ * if a future version renames the form pieces it simply does nothing.
+ */
+export default class ImageLinkFormPlugin extends Plugin {
+	static get requires() {
+		return ['LinkUI']
+	}
+
+	static get pluginName() {
+		return 'ImageLinkFormPlugin'
+	}
+
+	init() {
+		const editor = this.editor
+
+		if (!editor.plugins.has('ContextualBalloon')) {
+			return
+		}
+
+		const linkUI = editor.plugins.get('LinkUI')
+		const balloon = editor.plugins.get('ContextualBalloon')
+
+		balloon.on('change:visibleView', () => {
+			const formView = linkUI.formView
+			const displayedText = formView?.displayedTextInputView
+			if (!displayedText?.element || balloon.visibleView !== formView) {
+				return
+			}
+
+			const imageUtils = editor.plugins.has('ImageUtils')
+				? editor.plugins.get('ImageUtils')
+				: null
+			const isOnImage = !!imageUtils?.getClosestSelectedImageElement(
+				editor.model.document.selection,
+			)
+			displayedText.element.style.display = isOnImage ? 'none' : ''
+		})
+	}
+}
diff --git a/src/ckeditor/image/ImagePastePlugin.js b/src/ckeditor/image/ImagePastePlugin.js
new file mode 100644
index 0000000000..08ad470fcf
--- /dev/null
+++ b/src/ckeditor/image/ImagePastePlugin.js
@@ -0,0 +1,87 @@
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import { Plugin } from 'ckeditor5'
+import logger from '../../logger.js'
+import { fetchImageAsDataUri } from '../../service/ImageProxyService.js'
+
+const EXTERNAL_SRC = /^https?:\/\//i
+
+/**
+ * Inlines images that are pasted from another web page. Such images keep their
+ * original external `src`, which the editor's strict CSP refuses to load, so
+ * they render as the broken/alt-text placeholder. Fetching them through the
+ * server-side image proxy turns them into data: URIs that both display in the
+ * editor and are sent as inline attachments — exactly like the "insert image
+ * from URL" feature.
+ */
+export default class ImagePastePlugin extends Plugin {
+	static get pluginName() {
+		return 'ImagePastePlugin'
+	}
+
+	init() {
+		const model = this.editor.model
+
+		model.document.on('change:data', () => {
+			const images = []
+			for (const change of model.document.differ.getChanges()) {
+				if (change.type !== 'insert') {
+					continue
+				}
+				const node = change.position?.nodeAfter
+				if (node) {
+					this._collectExternalImages(node, images)
+				}
+			}
+
+			images.forEach((image) => this._inlineExternalImage(image))
+		})
+	}
+
+	/**
+	 * Recursively collects images with an external src from an inserted node.
+	 *
+	 * @param {module:engine/model/node~Node} node the inserted node to inspect
+	 * @param {Array} found accumulator of matching image elements
+	 * @private
+	 */
+	_collectExternalImages(node, found) {
+		if (!node.is?.('element')) {
+			return
+		}
+
+		const isImage = node.is('element', 'imageBlock') || node.is('element', 'imageInline')
+		if (isImage && EXTERNAL_SRC.test(node.getAttribute('src') ?? '')) {
+			found.push(node)
+		}
+
+		for (const child of node.getChildren()) {
+			this._collectExternalImages(child, found)
+		}
+	}
+
+	/**
+	 * Fetches an external image through the proxy and rewrites its src to the
+	 * returned data: URI. Runs asynchronously, so the model is re-checked before
+	 * the write in case the element was removed in the meantime.
+	 *
+	 * @param {module:engine/model/element~Element} image the image element
+	 * @private
+	 */
+	async _inlineExternalImage(image) {
+		const src = image.getAttribute('src')
+		try {
+			const dataUri = await fetchImageAsDataUri(src)
+			this.editor.model.change((writer) => {
+				if (image.root?.rootName && image.parent) {
+					writer.setAttribute('src', dataUri, image)
+				}
+			})
+		} catch (error) {
+			logger.error('Could not inline pasted image', { error, src })
+		}
+	}
+}
diff --git a/src/components/EditorSettings.vue b/src/components/EditorSettings.vue
index f8889b85e4..a6f22eff04 100644
--- a/src/components/EditorSettings.vue
+++ b/src/components/EditorSettings.vue
@@ -8,20 +8,24 @@
 		<p>
 			<input
 				id="plaintext"
-				v-model="mode"
+				ref="plaintext"
+				:name="radioGroupName"
 				type="radio"
 				class="radio"
-				value="plaintext">
-			<label :class="{ primary: mode === 'plaintext' }" for="plaintext">
+				:checked="account.editorMode === EDITOR_MODE_TEXT"
+				@change="selectMode(EDITOR_MODE_TEXT)">
+			<label :class="{ primary: account.editorMode === EDITOR_MODE_TEXT }" for="plaintext">
 				{{ t('mail', 'Plain text') }}
 			</label>
 			<input
 				id="richtext"
-				v-model="mode"
+				ref="richtext"
+				:name="radioGroupName"
 				type="radio"
 				class="radio"
-				value="richtext">
-			<label :class="{ primary: mode === 'richtext' }" for="richtext">
+				:checked="account.editorMode === EDITOR_MODE_HTML"
+				@change="selectMode(EDITOR_MODE_HTML)">
+			<label :class="{ primary: account.editorMode === EDITOR_MODE_HTML }" for="richtext">
 				{{ t('mail', 'Rich text') }}
 			</label>
 		</p>
@@ -31,6 +35,7 @@
 <script>
 import { mapStores } from 'pinia'
 import Logger from '../logger.js'
+import { EDITOR_MODE_HTML, EDITOR_MODE_TEXT } from '../store/constants.js'
 import useMainStore from '../store/mainStore.js'
 
 export default {
@@ -42,22 +47,56 @@ export default {
 		},
 	},
 
-	data() {
-		return {
-			mode: this.account.editorMode,
-		}
-	},
-
 	computed: {
 		...mapStores(useMainStore),
+
+		// Expose the constants to the template and group the radios per account.
+		EDITOR_MODE_TEXT: () => EDITOR_MODE_TEXT,
+		EDITOR_MODE_HTML: () => EDITOR_MODE_HTML,
+		radioGroupName() {
+			return `editor-mode-${this.account.id}`
+		},
 	},
 
-	watch: {
-		mode(val, oldVal) {
+	methods: {
+		selectMode(mode) {
+			if (mode === this.account.editorMode) {
+				return
+			}
+
+			// Switching from rich text to plain text strips all formatting and
+			// inline images — including those in the signature — so confirm first.
+			if (this.account.editorMode === EDITOR_MODE_HTML && mode === EDITOR_MODE_TEXT) {
+				// The native radio already moved the DOM selection; snap it back to
+				// the stored value at once so the writing mode only visibly changes
+				// once the user confirms.
+				this.syncRadios()
+				OC.dialogs.confirmDestructive(
+					t('mail', 'Switching to plain text removes any existing formatting such as bold, italic, underline, inline images and links — including those in your signature.'),
+					t('mail', 'Switch to plain text'),
+					{
+						type: OC.dialogs.YES_NO_BUTTONS,
+						confirm: t('mail', 'Switch and remove formatting'),
+						confirmClasses: 'error',
+						cancel: t('mail', 'Keep rich text'),
+					},
+					(decision) => {
+						if (decision) {
+							this.persistMode(mode)
+						}
+					},
+				)
+				return
+			}
+
+			this.persistMode(mode)
+		},
+
+		persistMode(mode) {
 			this.mainStore.patchAccount({
 				account: this.account,
 				data: {
-					editorMode: val,
+					editorMode: mode,
 				},
 			})
 				.then(() => {
@@ -65,10 +104,25 @@ export default {
 				})
 				.catch((error) => {
 					Logger.error('could not update editor mode', { error })
-					this.editorMode = oldVal
+					this.syncRadios()
 					throw error
 				})
 		},
+
+		/**
+		 * Re-asserts the radio DOM selection from the stored writing mode. Vue keeps
+		 * `:checked` bound to the store, but a native toggle we do not persist
+		 * (cancelled or failed) leaves the DOM out of sync because the bound value
+		 * never changed and Vue therefore skips patching it.
+		 */
+		syncRadios() {
+			if (this.$refs.plaintext) {
+				this.$refs.plaintext.checked = this.account.editorMode === EDITOR_MODE_TEXT
+			}
+			if (this.$refs.richtext) {
+				this.$refs.richtext.checked = this.account.editorMode === EDITOR_MODE_HTML
+			}
+		},
 	},
 }
 </script>
diff --git a/src/components/NavigationAccount.vue b/src/components/NavigationAccount.vue
index 0d9b24706e..567154de82 100644
--- a/src/components/NavigationAccount.vue
+++ b/src/components/NavigationAccount.vue
@@ -96,11 +96,6 @@
 				</template>
 			</template>
 		</NcAppNavigationCaption>
-		<AccountSettings
-			:open="showSettings"
-			:account="account"
-			:scroll-to-section="showSettingsSection"
-			@update:open="showAccountSettings($event)" />
 		<DelegationModal v-if="showDelegationModal" :account="account" @close="showDelegationModal = false" />
 	</Fragment>
 </template>
@@ -132,7 +127,6 @@ export default {
 		ActionCheckbox,
 		ActionInput,
 		ActionText,
-		AccountSettings: () => import(/* webpackChunkName: "account-settings" */ './AccountSettings.vue'),
 		DelegationModal: () => import(/* webpackChunkName: "delegation-modal" */ './DelegationModal.vue'),
 		IconInfo,
 		IconSettings,
@@ -193,14 +187,6 @@ export default {
 
 	computed: {
 		...mapStores(useMainStore),
-		showSettings() {
-			return this.mainStore.showSettingsForAccount(this.account.id)
-		},
-
-		showSettingsSection() {
-			return this.mainStore.showSettingsSectionForAccount(this.account.id)
-		},
-
 		visible() {
 			return this.account.isUnified !== true && this.account.visible !== false
 		},
diff --git a/src/components/SignatureSettings.vue b/src/components/SignatureSettings.vue
index e5bdc18d27..526ddd35a4 100644
--- a/src/components/SignatureSettings.vue
+++ b/src/components/SignatureSettings.vue
@@ -28,8 +28,9 @@
 		<!-- Added wrapper to give the signature editor a clear input-style border -->
 		<div class="signature-editor-wrapper">
 			<TextEditor
+				:key="account.editorMode"
 				v-model="signature"
-				:html="true"
+				:html="editorIsHtml"
 				:placeholder="t('mail', 'Signature …')"
 				:bus="bus"
 				class="signature-editor-wrapper__editor" />
@@ -66,8 +67,9 @@ import { mapStores } from 'pinia'
 import IconCheck from 'vue-material-design-icons/Check.vue'
 import TextEditor from './TextEditor.vue'
 import logger from '../logger.js'
+import { EDITOR_MODE_HTML } from '../store/constants.js'
 import useMainStore from '../store/mainStore.js'
-import { detect, toHtml } from '../util/text.js'
+import { detect, toHtml, toPlain } from '../util/text.js'
 
 export default {
 	name: 'SignatureSettings',
@@ -98,6 +100,10 @@ export default {
 
 	computed: {
 		...mapStores(useMainStore),
+		editorIsHtml() {
+			return this.account.editorMode === EDITOR_MODE_HTML
+		},
+
 		identities() {
 			const identities = this.account.aliases.map((alias) => {
 				return {
@@ -122,6 +128,15 @@ export default {
 	},
 
 	watch: {
+		// The signature editor follows the account's writing mode. When that mode
+		// changes (e.g. via the writing-mode setting), re-encode the in-editor
+		// signature so plain text never shows raw HTML and vice versa. Switching to
+		// plain text is lossy (images/links are dropped); the writing-mode setting
+		// warns the user before the change reaches here.
+		editorIsHtml() {
+			this.signature = this.formatSignature(this.signature)
+		},
+
 		async signatureAboveQuote(val, oldVal) {
 			try {
 				await this.mainStore.patchAccount({
@@ -146,9 +161,22 @@ export default {
 		changeIdentity(identity) {
 			logger.debug('select identity', { identity })
 			this.identity = identity
-			this.signature = identity.signature
-				? toHtml(detect(identity.signature)).value
-				: ''
+			this.signature = this.formatSignature(identity.signature)
+		},
+
+		/**
+		 * Encodes a stored signature into the format the editor currently expects
+		 * (HTML in rich-text mode, plain text otherwise).
+		 *
+		 * @param {string|null} signature the stored signature
+		 * @return {string} the signature in the active editor format
+		 */
+		formatSignature(signature) {
+			if (!signature) {
+				return ''
+			}
+			const detected = detect(signature)
+			return this.editorIsHtml ? toHtml(detected).value : toPlain(detected).value
 		},
 
 		async deleteSignature() {
diff --git a/src/components/TextEditor.vue b/src/components/TextEditor.vue
index 9f970fdae1..b7b47a8d17 100644
--- a/src/components/TextEditor.vue
+++ b/src/components/TextEditor.vue
@@ -18,13 +18,44 @@
 			class="editor"
 			@input="onEditorInput"
 			@ready="onEditorReady" />
+
+		<input
+			ref="imageFileInput"
+			type="file"
+			accept="image/*"
+			multiple
+			class="image-file-input"
+			@change="onImageFilesSelected">
+
+		<NcDialog
+			:open.sync="imageUrlDialogOpen"
+			:name="t('mail', 'Insert image from URL')"
+			:buttons="imageUrlDialogButtons"
+			size="normal">
+			<NcTextField
+				v-model="imageUrl"
+				:label="t('mail', 'Image URL')"
+				type="url"
+				:disabled="imageUrlLoading"
+				@keydown.enter.prevent="insertImageFromUrl" />
+		</NcDialog>
+
+		<FilePicker
+			v-if="imageFilePickerOpen"
+			:name="t('mail', 'Choose an image')"
+			:buttons="imageFilePickerButtons"
+			:multiselect="false"
+			:mimetype-filter="['image/png', 'image/jpeg', 'image/gif', 'image/bmp', 'image/webp', 'image/svg+xml']"
+			@close="() => imageFilePickerOpen = false" />
 	</div>
 </template>
 
 <script>
 import CKEditor from '@ckeditor/ckeditor5-vue2'
+import { showError } from '@nextcloud/dialogs'
+import { FilePickerVue as FilePicker } from '@nextcloud/dialogs/filepicker.js'
 import { getLanguage } from '@nextcloud/l10n'
-import { emojiAddRecent, emojiSearch } from '@nextcloud/vue'
+import { emojiAddRecent, emojiSearch, NcDialog, NcTextField } from '@nextcloud/vue'
 import {
 	Alignment,
 	Base64UploadAdapter,
@@ -39,9 +70,12 @@ import {
 	Heading,
 	Image,
 	ImageResize,
+	ImageStyle,
+	ImageToolbar,
 	ImageUpload,
 	Italic,
 	Link,
+	LinkImage,
 	List,
 	Mention,
 	Paragraph,
@@ -54,20 +88,46 @@ import {
 } from 'ckeditor5'
 import { getLinkWithPicker, searchProvider } from '@nextcloud/vue/components/NcRichText'
 import TextDirectionPlugin from '../ckeditor/direction/TextDirectionPlugin.js'
+import ImageAlignmentPlugin from '../ckeditor/image/ImageAlignmentPlugin.js'
+import ImageDropdownPlugin from '../ckeditor/image/ImageDropdownPlugin.js'
+import ImageLinkFormPlugin from '../ckeditor/image/ImageLinkFormPlugin.js'
+import ImagePastePlugin from '../ckeditor/image/ImagePastePlugin.js'
 import MailPlugin from '../ckeditor/mail/MailPlugin.js'
 import QuotePlugin from '../ckeditor/quote/QuotePlugin.js'
 import SignaturePlugin from '../ckeditor/signature/SignaturePlugin.js'
 import PickerPlugin from '../ckeditor/smartpicker/PickerPlugin.js'
+import { getClient } from '../dav/client.js'
 import logger from '../logger.js'
 import { autoCompleteByName } from '../service/ContactIntegrationService.js'
+import { fetchImageAsDataUri } from '../service/ImageProxyService.js'
 import { Text, toPlain } from '../util/text.js'
 
 import 'ckeditor5/ckeditor5.css'
 
+const IMAGE_FILE_SIZE_LIMIT = 10 * 1024 * 1024
+
+/**
+ * Read a Blob as a data: URI.
+ *
+ * @param {Blob} blob the blob to read
+ * @return {Promise<string>} the data URI
+ */
+function readBlobAsDataUri(blob) {
+	return new Promise((resolve, reject) => {
+		const reader = new FileReader()
+		reader.onload = () => resolve(reader.result)
+		reader.onerror = () => reject(reader.error)
+		reader.readAsDataURL(blob)
+	})
+}
+
 export default {
 	name: 'TextEditor',
 	components: {
 		Ckeditor: CKEditor.component,
+		FilePicker,
+		NcDialog,
+		NcTextField,
 	},
 
 	inject: {
@@ -150,6 +210,13 @@ export default {
 				Image,
 				ImageUpload,
 				ImageResize,
+				ImageStyle,
+				ImageToolbar,
+				LinkImage,
+				ImageDropdownPlugin,
+				ImageAlignmentPlugin,
+				ImageLinkFormPlugin,
+				ImagePastePlugin,
 				Font,
 				RemoveFormat,
 				Base64UploadAdapter,
@@ -169,7 +236,7 @@ export default {
 				'subscript',
 				'superscript',
 				'fontBackgroundColor',
-				'insertImage',
+				'imageDropdown',
 				'alignment',
 				'textDirection:ltr',
 				'textDirection:rtl',
@@ -188,6 +255,17 @@ export default {
 			emojiTribute: null,
 			contactMentionQuery: null,
 			textSmiles: [],
+			imageUrlDialogOpen: false,
+			imageUrl: '',
+			imageUrlLoading: false,
+			imageFilePickerOpen: false,
+			imageFilePickerButtons: [
+				{
+					label: t('mail', 'Choose'),
+					type: 'primary',
+					callback: this.onImageFilesPicked,
+				},
+			],
 			sourceEditingInputHandler: null,
 			sourceEditingModeHandler: null,
 			sourceEditingDebounceTimer: null,
@@ -199,6 +277,45 @@ export default {
 				plugins,
 				toolbar,
 				language: 'en',
+				image: {
+					// Resize using absolute pixels instead of percentages. A percentage
+					// width is relative to the unknown width of the recipient's mail
+					// client, which makes images appear far too large elsewhere; pixels
+					// translate predictably and are normalised to width/height
+					// attributes when the message is sent.
+					resizeUnit: 'px',
+					// Insert images as block widgets. This keeps alignment a property of
+					// the image itself (instead of the paragraph it lives in), lets the
+					// user add paragraphs before/after the image, and disables the text
+					// formatting buttons while an image is selected.
+					insert: {
+						type: 'block',
+					},
+					styles: {
+						// Image-specific alignment so changing it never reflows the
+						// surrounding text. The unstyled state is left-aligned (see the
+						// editor CSS) and is the e-mail-safe default; the explicit classes
+						// are turned into inline styles when the message is sent.
+						options: ['alignBlockLeft', 'alignCenter', 'alignBlockRight'],
+					},
+					resizeOptions: [
+						{ name: 'resizeImage:original', value: null, label: t('mail', 'Original size') },
+						{ name: 'resizeImage:small', value: '150', label: t('mail', 'Small') },
+						{ name: 'resizeImage:medium', value: '300', label: t('mail', 'Medium') },
+						{ name: 'resizeImage:large', value: '500', label: t('mail', 'Large') },
+					],
+					toolbar: [
+						'imageAlignment',
+						'|',
+						'imageTextAlternative',
+						'|',
+						'resizeImage',
+					],
+					upload: {
+						// Defaults plus SVG so vector logos can be uploaded as well.
+						types: ['jpeg', 'png', 'gif', 'bmp', 'webp', 'tiff', 'svg+xml'],
+					},
+				},
 				mention: {
 					feeds: [
 						{
@@ -252,6 +369,38 @@ export default {
 		}
 	},
 
+	computed: {
+		imageUrlDialogButtons() {
+			return [
+				{
+					label: t('mail', 'Cancel'),
+					type: 'tertiary',
+					disabled: this.imageUrlLoading,
+					callback: () => {
+						this.imageUrlDialogOpen = false
+					},
+				},
+				{
+					label: t('mail', 'Insert'),
+					type: 'primary',
+					disabled: !this.imageUrl || this.imageUrlLoading,
+					callback: () => {
+						this.insertImageFromUrl()
+					},
+				},
+			]
+		},
+	},
+
+	watch: {
+		imageUrlDialogOpen(open) {
+			if (!open) {
+				this.imageUrl = ''
+				this.imageUrlLoading = false
+			}
+		},
+	},
+
 	beforeMount() {
 		this.loadEditorTranslations(getLanguage())
 	},
@@ -580,7 +729,22 @@ export default {
 			}
 
 			if (this.html) {
-				this.addToFocusTrap('.ck-body-wrapper')
+				// Exempt CKEditor's balloon container (image toolbar, link form,
+				// mention lists, …) from the surrounding modal's focus trap so it
+				// can be interacted with. The account-settings dialog resolves trap
+				// elements differently from the composer modal, so register the
+				// resolved node — accepted by both — rather than a selector string.
+				const ckBodyWrapper = document.querySelector('.ck-body-wrapper')
+				this.addToFocusTrap(ckBodyWrapper || '.ck-body-wrapper')
+				editor.on('mail:insertImageFromUrl', () => {
+					this.imageUrlDialogOpen = true
+				})
+				editor.on('mail:uploadImageFromComputer', () => {
+					this.$refs.imageFileInput?.click()
+				})
+				editor.on('mail:insertImageFromFiles', () => {
+					this.imageFilePickerOpen = true
+				})
 			}
 
 			this.bus.on('append-to-body-at-cursor', this.appendToBodyAtCursor)
@@ -602,6 +766,62 @@ export default {
 			this.editorInstance.model.insertContent(modelFragment)
 		},
 
+		async insertImageFromUrl() {
+			const url = this.imageUrl.trim()
+			if (!url || this.imageUrlLoading) {
+				return
+			}
+
+			this.imageUrlLoading = true
+			try {
+				// The image is fetched server-side and returned as a data: URI. It
+				// renders in the editor despite the strict CSP and is turned into an
+				// inline attachment when the message is sent. Insert it through the
+				// same command the upload feature uses so both behave identically.
+				const dataUri = await fetchImageAsDataUri(url)
+				this.editorInstance.execute('insertImage', { source: dataUri })
+				this.editorInstance.editing.view.focus()
+				this.imageUrlDialogOpen = false
+			} catch (error) {
+				logger.error('Could not insert image from URL', { error })
+				showError(t('mail', 'Could not insert image from URL'))
+			} finally {
+				this.imageUrlLoading = false
+			}
+		},
+
+		onImageFilesSelected(event) {
+			const files = Array.from(event.target.files ?? [])
+			if (files.length > 0) {
+				this.editorInstance.execute('uploadImage', { file: files })
+			}
+			// Reset so selecting the same file again still triggers a change event.
+			event.target.value = ''
+		},
+
+		async onImageFilesPicked(nodes) {
+			this.imageFilePickerOpen = false
+			const node = Array.isArray(nodes) ? nodes[0] : nodes
+			if (!node?.path) {
+				return
+			}
+
+			try {
+				if (node.size > IMAGE_FILE_SIZE_LIMIT) {
+					showError(t('mail', 'The selected image is too large to embed'))
+					return
+				}
+				const content = await getClient('files').getFileContents(node.path, { format: 'binary' })
+				const blob = new Blob([content], { type: node.mime || 'application/octet-stream' })
+				const dataUri = await readBlobAsDataUri(blob)
+				this.editorInstance.execute('insertImage', { source: dataUri })
+				this.editorInstance.editing.view.focus()
+			} catch (error) {
+				logger.error('Could not insert image from files', { error })
+				showError(t('mail', 'Could not insert the selected image'))
+			}
+		},
+
 		editorExecute(commandName, ...args) {
 			if (this.editorInstance) {
 				this.editorInstance.execute(commandName, ...args)
@@ -671,6 +891,17 @@ export default {
 	cursor: text;
 	margin: 0 !important;
 }
+
+/* Block images are centred by CKEditor's default stylesheet. Left-align the
+   unstyled state so it matches both the e-mail-safe default and the explicit
+   "align left" option; centring/right alignment stay opt-in via the toolbar. */
+:deep(.ck-content .image:not([class*='image-style'])) {
+	margin-inline: 0 auto;
+}
+
+.image-file-input {
+	display: none;
+}
 </style>
 
 <style>
@@ -865,6 +1096,27 @@ https://github.com/ckeditor/ckeditor5/issues/1142
 	border-radius: var(--border-radius-large) !important;
 }
 
+/* Size the "Insert image" dropdown to its labels so it stays usable in narrow
+   containers too (e.g. the signature editor inside the settings dialog). */
+.mail-image-insert-dropdown .ck-dropdown__panel {
+	min-width: max-content;
+}
+
+/* Balance the padding of the "Insert image" dropdown entries: the icon should
+   sit a comfortable distance from the left edge and the label should not leave
+   a large empty gap on the right. */
+.mail-image-insert-dropdown .ck-dropdown__panel .ck-button {
+	display: flex;
+	width: 100%;
+	justify-content: flex-start;
+	padding-inline: var(--default-grid-baseline, 4px);
+}
+
+.mail-image-insert-dropdown .ck-dropdown__panel .ck-button .ck-button__label {
+	padding-inline-start: var(--default-grid-baseline, 4px);
+	padding-inline-end: var(--default-grid-baseline, 4px);
+}
+
 /* Needs to be set to flex, bececause else it breaks the toolbar - it is shown in 2 lines instead of 1 */
 .ck.ck-splitbutton.ck-dropdown__button{
 	display: flex !important;
diff --git a/src/service/ImageProxyService.js b/src/service/ImageProxyService.js
new file mode 100644
index 0000000000..b90d2e25f8
--- /dev/null
+++ b/src/service/ImageProxyService.js
@@ -0,0 +1,20 @@
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import axios from '@nextcloud/axios'
+import { generateUrl } from '@nextcloud/router'
+
+/**
+ * Fetch an external image through the server and return it as a data: URI so it
+ * can be embedded into the editor and later sent as an inline attachment.
+ *
+ * @param {string} url The external image URL
+ * @return {Promise<string>} The image encoded as a data: URI
+ */
+export async function fetchImageAsDataUri(url) {
+	const endpoint = generateUrl('/apps/mail/api/image/proxy')
+	const { data } = await axios.get(endpoint, { params: { url } })
+	return data.data
+}
diff --git a/src/store/mainStore/actions.js b/src/store/mainStore/actions.js
index 58579dcd53..588bb7a30e 100644
--- a/src/store/mainStore/actions.js
+++ b/src/store/mainStore/actions.js
@@ -2503,15 +2503,6 @@ export default function mainStoreActions() {
 		getInbox(accountId) {
 			return this.findMailboxBySpecialRole(accountId, 'inbox')
 		},
-		showSettingsForAccount(accountId) {
-			return this.showAccountSettings?.accountId === accountId
-		},
-		showSettingsSectionForAccount(accountId) {
-			if (this.showAccountSettings?.accountId !== accountId) {
-				return undefined
-			}
-			return this.showAccountSettings.section
-		},
 		getMyTextBlocks() {
 			return this.myTextBlocks
 		},
diff --git a/src/views/Home.vue b/src/views/Home.vue
index 56fad9e960..7fc60e9716 100644
--- a/src/views/Home.vue
+++ b/src/views/Home.vue
@@ -15,6 +15,18 @@
 			<ComposerSessionIndicator @close="onCloseMessageModal" />
 			<NewMessageModal ref="newMessageModal" :accounts="accounts" />
 		</template>
+
+		<!-- Rendered here, at the stable app root, rather than inside the
+		     navigation: NcModal relocates the dialog to <body> on mount, but the
+		     frequently re-rendering navigation moves it back into the scrollable,
+		     overflow-clipped sidebar. CKEditor then considers its content clipped
+		     and parks every balloon (image toolbar, link form) off-screen. -->
+		<AccountSettings
+			v-if="settingsAccount"
+			:open="settingsOpen"
+			:account="settingsAccount"
+			:scroll-to-section="settingsSection"
+			@update:open="onCloseAccountSettings" />
 	</NcContent>
 </template>
 
@@ -38,6 +50,7 @@ export default {
 		MailboxThread,
 		Navigation,
 		NewMessageModal: () => import(/* webpackChunkName: "new-message-modal" */ '../components/NewMessageModal.vue'),
+		AccountSettings: () => import(/* webpackChunkName: "account-settings" */ '../components/AccountSettings.vue'),
 		Outbox,
 		ComposerSessionIndicator,
 	},
@@ -45,12 +58,19 @@ export default {
 	data() {
 		return {
 			hasComposerSession: false,
+			// Id of the account whose settings dialog is open. The id is kept after
+			// closing so the dialog stays mounted for its out-transition. The account
+			// object itself is resolved reactively (see settingsAccount) so settings
+			// sub-components observe store updates live instead of a stale snapshot.
+			settingsAccountId: null,
+			settingsOpen: false,
+			settingsSection: undefined,
 		}
 	},
 
 	computed: {
 		...mapStores(useMainStore),
-		...mapState(useMainStore, ['composerSessionId']),
+		...mapState(useMainStore, ['composerSessionId', 'showAccountSettings']),
 		accounts() {
 			return this.mainStore.getAccounts.filter((a) => !a.isUnified)
 		},
@@ -62,6 +82,12 @@ export default {
 		activeMailbox() {
 			return this.mainStore.getMailbox(this.$route.params.mailboxId)
 		},
+
+		settingsAccount() {
+			return this.settingsAccountId !== null
+				? this.mainStore.getAccount(this.settingsAccountId)
+				: null
+		},
 	},
 
 	watch: {
@@ -82,6 +108,23 @@ export default {
 
 			this.hasComposerSession = true
 		},
+
+		showAccountSettings: {
+			immediate: true,
+			handler(settings) {
+				if (settings?.accountId) {
+					this.settingsAccountId = settings.accountId
+					this.settingsSection = settings.section
+					// Mount first (settingsAccount), then open on the next tick so the
+					// dialog's `open` watcher fires and runs its on-open side effects.
+					this.$nextTick(() => {
+						this.settingsOpen = true
+					})
+				} else {
+					this.settingsOpen = false
+				}
+			},
+		},
 	},
 
 	async beforeMount() {
@@ -172,6 +215,10 @@ export default {
 		async onCloseMessageModal() {
 			await this.$refs.newMessageModal.onClose()
 		},
+
+		onCloseAccountSettings() {
+			this.mainStore.showSettingsForAccountMutation(null)
+		},
 	},
 }
 
diff --git a/tests/Unit/Controller/ImageProxyControllerTest.php b/tests/Unit/Controller/ImageProxyControllerTest.php
new file mode 100644
index 0000000000..98ec0b8b94
--- /dev/null
+++ b/tests/Unit/Controller/ImageProxyControllerTest.php
@@ -0,0 +1,212 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Mail\Tests\Unit\Controller;
+
+use ChristophWurst\Nextcloud\Testing\TestCase;
+use OCA\Mail\Controller\ImageProxyController;
+use OCA\Mail\Service\SvgSanitizer;
+use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\JSONResponse;
+use OCP\Files\IMimeTypeDetector;
+use OCP\Http\Client\IClient;
+use OCP\Http\Client\IClientService;
+use OCP\Http\Client\IResponse;
+use OCP\Http\Client\LocalServerException;
+use OCP\IRequest;
+use OCP\Security\IRemoteHostValidator;
+use PHPUnit\Framework\MockObject\MockObject;
+use Psr\Log\NullLogger;
+
+class ImageProxyControllerTest extends TestCase {
+	/** @var IRequest|MockObject */
+	private $request;
+
+	/** @var IClientService|MockObject */
+	private $clientService;
+
+	/** @var IRemoteHostValidator|MockObject */
+	private $remoteHostValidator;
+
+	/** @var IMimeTypeDetector|MockObject */
+	private $mimeTypeDetector;
+
+	/** @var SvgSanitizer|MockObject */
+	private $svgSanitizer;
+
+	/** @var ImageProxyController */
+	private $controller;
+
+	protected function setUp(): void {
+		parent::setUp();
+
+		$this->request = $this->createMock(IRequest::class);
+		$this->clientService = $this->createMock(IClientService::class);
+		$this->remoteHostValidator = $this->createMock(IRemoteHostValidator::class);
+		$this->mimeTypeDetector = $this->createMock(IMimeTypeDetector::class);
+		$this->svgSanitizer = $this->createMock(SvgSanitizer::class);
+		$this->controller = new ImageProxyController(
+			'mail',
+			$this->request,
+			$this->clientService,
+			$this->remoteHostValidator,
+			$this->mimeTypeDetector,
+			$this->svgSanitizer,
+			new NullLogger(),
+		);
+	}
+
+	public function testFetchRejectsInvalidScheme(): void {
+		$this->clientService->expects(self::never())
+			->method('newClient');
+
+		$response = $this->controller->fetch('ftp://example.com/image.png');
+
+		self::assertInstanceOf(JSONResponse::class, $response);
+		self::assertSame(Http::STATUS_BAD_REQUEST, $response->getStatus());
+	}
+
+	public function testFetchReturnsDataUri(): void {
+		$content = 'fake-png-bytes';
+		$this->remoteHostValidator->method('isValid')
+			->willReturn(true);
+		$httpResponse = $this->createMock(IResponse::class);
+		$httpResponse->method('getBody')
+			->willReturn($this->streamFor($content));
+		$client = $this->createMock(IClient::class);
+		$client->expects(self::once())
+			->method('get')
+			->willReturn($httpResponse);
+		$this->clientService->expects(self::once())
+			->method('newClient')
+			->willReturn($client);
+		$this->mimeTypeDetector->expects(self::once())
+			->method('detectString')
+			->with($content)
+			->willReturn('image/png');
+
+		$response = $this->controller->fetch('https://example.com/image.png');
+
+		self::assertInstanceOf(JSONResponse::class, $response);
+		self::assertSame(Http::STATUS_OK, $response->getStatus());
+		self::assertSame(
+			['data' => 'data:image/png;base64,' . base64_encode($content)],
+			$response->getData(),
+		);
+	}
+
+	public function testFetchBlocksLocalServer(): void {
+		$this->remoteHostValidator->method('isValid')
+			->willReturn(true);
+		$client = $this->createMock(IClient::class);
+		$client->method('get')
+			->willThrowException(new LocalServerException());
+		$this->clientService->method('newClient')
+			->willReturn($client);
+
+		$response = $this->controller->fetch('https://localhost/image.png');
+
+		self::assertSame(Http::STATUS_FORBIDDEN, $response->getStatus());
+	}
+
+	public function testFetchBlocksForbiddenHost(): void {
+		$this->remoteHostValidator->method('isValid')
+			->willReturn(false);
+		$this->clientService->expects(self::never())
+			->method('newClient');
+
+		$response = $this->controller->fetch('https://127.0.0.1/image.png');
+
+		self::assertSame(Http::STATUS_FORBIDDEN, $response->getStatus());
+	}
+
+	public function testFetchRejectsNonImage(): void {
+		$this->remoteHostValidator->method('isValid')
+			->willReturn(true);
+		$httpResponse = $this->createMock(IResponse::class);
+		$httpResponse->method('getBody')
+			->willReturn($this->streamFor('not-an-image'));
+		$client = $this->createMock(IClient::class);
+		$client->method('get')
+			->willReturn($httpResponse);
+		$this->clientService->method('newClient')
+			->willReturn($client);
+		$this->mimeTypeDetector->method('detectString')
+			->willReturn('text/html');
+
+		$response = $this->controller->fetch('https://example.com/evil');
+
+		self::assertSame(Http::STATUS_UNSUPPORTED_MEDIA_TYPE, $response->getStatus());
+	}
+
+	public function testFetchSniffsSvgMisdetectedAsText(): void {
+		$svg = '<svg xmlns="http://www.w3.org/2000/svg"><rect width="10" height="10"/></svg>';
+		$this->remoteHostValidator->method('isValid')
+			->willReturn(true);
+		$httpResponse = $this->createMock(IResponse::class);
+		$httpResponse->method('getBody')
+			->willReturn($this->streamFor($svg));
+		$client = $this->createMock(IClient::class);
+		$client->method('get')
+			->willReturn($httpResponse);
+		$this->clientService->method('newClient')
+			->willReturn($client);
+		$this->mimeTypeDetector->method('detectString')
+			->willReturn('text/xml');
+		$this->svgSanitizer->method('sanitize')
+			->willReturnArgument(0);
+
+		$response = $this->controller->fetch('https://example.com/logo.svg');
+
+		self::assertSame(Http::STATUS_OK, $response->getStatus());
+		self::assertSame(
+			['data' => 'data:image/svg+xml;base64,' . base64_encode($svg)],
+			$response->getData(),
+		);
+	}
+
+	public function testFetchSanitizesSvg(): void {
+		$svg = '<svg onload="x()"><rect/></svg>';
+		$sanitized = '<svg><rect/></svg>';
+		$this->remoteHostValidator->method('isValid')
+			->willReturn(true);
+		$httpResponse = $this->createMock(IResponse::class);
+		$httpResponse->method('getBody')
+			->willReturn($this->streamFor($svg));
+		$client = $this->createMock(IClient::class);
+		$client->method('get')
+			->willReturn($httpResponse);
+		$this->clientService->method('newClient')
+			->willReturn($client);
+		$this->mimeTypeDetector->method('detectString')
+			->willReturn('image/svg+xml');
+		$this->svgSanitizer->expects(self::once())
+			->method('sanitize')
+			->with($svg)
+			->willReturn($sanitized);
+
+		$response = $this->controller->fetch('https://example.com/logo.svg');
+
+		self::assertSame(Http::STATUS_OK, $response->getStatus());
+		self::assertSame(
+			['data' => 'data:image/svg+xml;base64,' . base64_encode($sanitized)],
+			$response->getData(),
+		);
+	}
+
+	/**
+	 * @return resource
+	 */
+	private function streamFor(string $content) {
+		$stream = fopen('php://memory', 'r+');
+		fwrite($stream, $content);
+		rewind($stream);
+		return $stream;
+	}
+}
diff --git a/tests/Unit/Controller/ProxyControllerTest.php b/tests/Unit/Controller/ProxyControllerTest.php
index ee6ed5cf0a..0c956fb6b7 100644
--- a/tests/Unit/Controller/ProxyControllerTest.php
+++ b/tests/Unit/Controller/ProxyControllerTest.php
@@ -15,6 +15,7 @@
 use OCA\Mail\Html\ProxyHmacGenerator;
 use OCA\Mail\Http\ProxyDownloadResponse;
 use OCA\Mail\Service\MailManager;
+use OCA\Mail\Service\SvgSanitizer;
 use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\Response;
@@ -53,6 +54,9 @@ class ProxyControllerTest extends TestCase {
 	/** @var MailManager|MockObject */
 	private $mailManager;
 
+	/** @var SvgSanitizer|MockObject */
+	private $svgSanitizer;
+
 	private string $userId = 'user';
 
 	/** @var ProxyController */
@@ -68,6 +72,7 @@ protected function setUp(): void {
 		$this->clientService = $this->createMock(IClientService::class);
 		$this->hmacGenerator = $this->createMock(ProxyHmacGenerator::class);
 		$this->mailManager = $this->createMock(MailManager::class);
+		$this->svgSanitizer = $this->createMock(SvgSanitizer::class);
 		$this->logger = new NullLogger();
 	}
 
@@ -90,6 +95,7 @@ public function testProxyWithoutCookies(): void {
 			$this->hmacGenerator,
 			$this->logger,
 			$this->mailManager,
+			$this->svgSanitizer,
 			$this->userId,
 		);
 
@@ -136,12 +142,67 @@ public function testProxy(): void {
 			$this->hmacGenerator,
 			$this->logger,
 			$this->mailManager,
+			$this->svgSanitizer,
+			$this->userId,
+		);
+
+		$response = $this->controller->proxy($src, $id, $validHmac);
+
+		$this->assertInstanceOf(ProxyDownloadResponse::class, $response);
+	}
+
+	public function testProxySanitizesAndServesSvg(): void {
+		$src = 'https://example.com/logo.svg';
+		$id = 1;
+		$validHmac = 'valid-hmac-hash';
+		$content = '<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>';
+		$sanitized = '<svg xmlns="http://www.w3.org/2000/svg"></svg>';
+		$httpResponse = $this->createMock(IResponse::class);
+		$this->request->expects(self::once())
+			->method('passesStrictCookieCheck')
+			->willReturn(true);
+		$this->session->expects($this->once())
+			->method('close');
+		$this->hmacGenerator->expects($this->once())
+			->method('generate')
+			->with($id, $src)
+			->willReturn($validHmac);
+		$this->mailManager->expects($this->once())
+			->method('getMessage')
+			->with($this->userId, $id);
+		$client = $this->getMockBuilder(IClient::class)->getMock();
+		$this->clientService->expects($this->once())
+			->method('newClient')
+			->willReturn($client);
+		$client->expects($this->once())
+			->method('get')
+			->with($src)
+			->willReturn($httpResponse);
+		$httpResponse->expects($this->once())
+			->method('getBody')
+			->willReturn($content);
+		$this->svgSanitizer->expects($this->once())
+			->method('sanitize')
+			->with($content)
+			->willReturn($sanitized);
+		$this->controller = new ProxyController(
+			$this->appName,
+			$this->request,
+			$this->urlGenerator,
+			$this->session,
+			$this->clientService,
+			$this->hmacGenerator,
+			$this->logger,
+			$this->mailManager,
+			$this->svgSanitizer,
 			$this->userId,
 		);
 
 		$response = $this->controller->proxy($src, $id, $validHmac);
 
 		$this->assertInstanceOf(ProxyDownloadResponse::class, $response);
+		$this->assertSame('image/svg+xml', $response->getHeaders()['Content-Type']);
+		$this->assertSame($sanitized, $response->render());
 	}
 
 	public function testProxyWithInvalidHmac(): void {
@@ -172,6 +233,7 @@ public function testProxyWithInvalidHmac(): void {
 			$this->hmacGenerator,
 			$this->logger,
 			$this->mailManager,
+			$this->svgSanitizer,
 			$this->userId,
 		);
 
@@ -199,6 +261,7 @@ public function testProxyWithMissingHmacParameters(): void {
 			$this->hmacGenerator,
 			$this->logger,
 			$this->mailManager,
+			$this->svgSanitizer,
 			$this->userId,
 		);
 
@@ -231,6 +294,7 @@ public function testProxyWithMessageNotOwnedByUser(): void {
 			$this->hmacGenerator,
 			$this->logger,
 			$this->mailManager,
+			$this->svgSanitizer,
 			$this->userId,
 		);
 
diff --git a/tests/Unit/Service/MimeMessageTest.php b/tests/Unit/Service/MimeMessageTest.php
index 146a3bf26c..48603dbf2e 100644
--- a/tests/Unit/Service/MimeMessageTest.php
+++ b/tests/Unit/Service/MimeMessageTest.php
@@ -17,6 +17,7 @@
 use OCA\Mail\Model\NewMessageData;
 use OCA\Mail\Service\DataUri\DataUriParser;
 use OCA\Mail\Service\MimeMessage;
+use OCA\Mail\Service\SvgSanitizer;
 
 class MimeMessageTest extends TestCase {
 	private DataUriParser $uriParser;
@@ -27,7 +28,7 @@ protected function setUp(): void {
 		parent::setUp();
 
 		$this->uriParser = new DataUriParser();
-		$this->mimeMessage = new MimeMessage($this->uriParser);
+		$this->mimeMessage = new MimeMessage($this->uriParser, new SvgSanitizer());
 		$this->account = new Account(new MailAccount());
 	}
 
@@ -413,6 +414,165 @@ public function testEmbeddedImageSkipNonImages(): void {
 		$this->assertStringNotContainsString('data-cid', $htmlBody);
 	}
 
+	public function testNormalizeImageDimensions(): void {
+		$html = '<p><img src="https://example.com/logo.png" style="aspect-ratio:4/1;width:400px;"></p>';
+
+		$part = $this->mimeMessage->build(
+			null,
+			$html,
+			false,
+			[],
+		);
+
+		$this->assertEquals('multipart/alternative', $part->getType());
+
+		/** @var Horde_Mime_Part[] $subParts */
+		$subParts = $part->getParts();
+		$htmlBody = $subParts[1]->getContents();
+		$this->assertStringContainsString('width="400"', $htmlBody);
+		$this->assertStringContainsString('height="100"', $htmlBody);
+	}
+
+	public function testNormalizeImageDimensionsFromFigure(): void {
+		$html = '<figure class="image image_resized" style="width:200px;"><img src="https://example.com/logo.png" style="aspect-ratio:2/1;"></figure>';
+
+		$part = $this->mimeMessage->build(
+			null,
+			$html,
+			false,
+			[],
+		);
+
+		/** @var Horde_Mime_Part[] $subParts */
+		$subParts = $part->getParts();
+		$htmlBody = $subParts[1]->getContents();
+		$this->assertStringContainsString('width="200"', $htmlBody);
+		$this->assertStringContainsString('height="100"', $htmlBody);
+	}
+
+	public function testNormalizeImageDimensionsFromFigureWrappingLink(): void {
+		$html = '<figure class="image image_resized" style="width:200px;"><a href="https://example.com"><img src="https://example.com/logo.png" style="aspect-ratio:2/1;"></a></figure>';
+
+		$part = $this->mimeMessage->build(
+			null,
+			$html,
+			false,
+			[],
+		);
+
+		/** @var Horde_Mime_Part[] $subParts */
+		$subParts = $part->getParts();
+		$htmlBody = $subParts[1]->getContents();
+		$this->assertStringContainsString('width="200"', $htmlBody);
+		$this->assertStringContainsString('height="100"', $htmlBody);
+	}
+
+	public function testNormalizeImageDimensionsIgnoresPercentageWidth(): void {
+		$html = '<p><img src="https://example.com/logo.png" style="width:50%;"></p>';
+
+		$part = $this->mimeMessage->build(
+			null,
+			$html,
+			false,
+			[],
+		);
+
+		/** @var Horde_Mime_Part[] $subParts */
+		$subParts = $part->getParts();
+		$htmlBody = $subParts[1]->getContents();
+		$this->assertStringNotContainsString('width="', $htmlBody);
+	}
+
+	public function testNormalizeImageAlignment(): void {
+		$html = '<figure class="image image-style-align-center"><img src="https://example.com/logo.png"></figure>';
+
+		$part = $this->mimeMessage->build(
+			null,
+			$html,
+			false,
+			[],
+		);
+
+		/** @var Horde_Mime_Part[] $subParts */
+		$subParts = $part->getParts();
+		$htmlBody = $subParts[1]->getContents();
+		$this->assertStringContainsString('margin-left: auto; margin-right: auto', $htmlBody);
+		$this->assertStringContainsString('text-align: center', $htmlBody);
+	}
+
+	public function testNormalizeImageAlignmentRight(): void {
+		$html = '<figure class="image image-style-block-align-right"><img src="https://example.com/logo.png"></figure>';
+
+		$part = $this->mimeMessage->build(
+			null,
+			$html,
+			false,
+			[],
+		);
+
+		/** @var Horde_Mime_Part[] $subParts */
+		$subParts = $part->getParts();
+		$htmlBody = $subParts[1]->getContents();
+		$this->assertStringContainsString('margin-left: auto; margin-right: 0', $htmlBody);
+		$this->assertStringContainsString('text-align: right', $htmlBody);
+	}
+
+	public function testNormalizeImageAlignmentMakesDefaultExplicit(): void {
+		$html = '<figure class="image image_resized" style="width:300px;"><img src="https://example.com/logo.png"></figure>';
+
+		$part = $this->mimeMessage->build(
+			null,
+			$html,
+			false,
+			[],
+		);
+
+		/** @var Horde_Mime_Part[] $subParts */
+		$subParts = $part->getParts();
+		$htmlBody = $subParts[1]->getContents();
+		$this->assertStringContainsString('margin-left: 0; margin-right: auto', $htmlBody);
+		$this->assertStringContainsString('text-align: left', $htmlBody);
+	}
+
+	public function testNormalizeImageAlignmentIgnoresNonImageFigures(): void {
+		$html = '<figure class="media"><img src="https://example.com/logo.png"></figure>';
+
+		$part = $this->mimeMessage->build(
+			null,
+			$html,
+			false,
+			[],
+		);
+
+		/** @var Horde_Mime_Part[] $subParts */
+		$subParts = $part->getParts();
+		$htmlBody = $subParts[1]->getContents();
+		$this->assertStringNotContainsString('text-align', $htmlBody);
+	}
+
+	public function testSanitizesInlineSvg(): void {
+		$svg = '<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script><rect width="10" height="10"/></svg>';
+		$html = '<p><img src="data:image/svg+xml;base64,' . base64_encode($svg) . '"></p>';
+
+		$part = $this->mimeMessage->build(
+			null,
+			$html,
+			false,
+			[],
+		);
+
+		$this->assertEquals('multipart/related', $part->getType());
+
+		/** @var Horde_Mime_Part[] $relatedSubParts */
+		$relatedSubParts = $part->getParts();
+		$svgPart = $relatedSubParts[1];
+		$this->assertEquals('image/svg+xml', $svgPart->getType());
+
+		$sanitized = base64_decode($svgPart->getContents());
+		$this->assertStringNotContainsString('<script', $sanitized);
+		$this->assertStringContainsString('<rect', $sanitized);
+	}
+
 	private function createAttachmentPart(string $name, string $content, string $mime, string $disposition): Horde_Mime_Part {
 		$part = new Horde_Mime_Part();
 		$part->setCharset('us-ascii');
diff --git a/tests/Unit/Service/SvgSanitizerTest.php b/tests/Unit/Service/SvgSanitizerTest.php
new file mode 100644
index 0000000000..f4d576a9e9
--- /dev/null
+++ b/tests/Unit/Service/SvgSanitizerTest.php
@@ -0,0 +1,82 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Mail\Tests\Unit\Service;
+
+use ChristophWurst\Nextcloud\Testing\TestCase;
+use OCA\Mail\Service\SvgSanitizer;
+
+class SvgSanitizerTest extends TestCase {
+	private SvgSanitizer $sanitizer;
+
+	protected function setUp(): void {
+		parent::setUp();
+
+		$this->sanitizer = new SvgSanitizer();
+	}
+
+	public function testRemovesScript(): void {
+		$svg = '<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script><rect/></svg>';
+
+		$result = $this->sanitizer->sanitize($svg);
+
+		$this->assertStringNotContainsString('<script', $result);
+		$this->assertStringContainsString('<rect', $result);
+	}
+
+	public function testRemovesEventHandlers(): void {
+		$svg = '<svg xmlns="http://www.w3.org/2000/svg"><rect onload="evil()" width="10"/></svg>';
+
+		$result = $this->sanitizer->sanitize($svg);
+
+		$this->assertStringNotContainsString('onload', $result);
+		$this->assertStringContainsString('width="10"', $result);
+	}
+
+	public function testRemovesExternalReference(): void {
+		$svg = '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">'
+			. '<a xlink:href="https://evil.example"><rect/></a></svg>';
+
+		$result = $this->sanitizer->sanitize($svg);
+
+		$this->assertStringNotContainsString('evil.example', $result);
+		$this->assertStringContainsString('<rect', $result);
+	}
+
+	public function testKeepsSameDocumentReference(): void {
+		$svg = '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">'
+			. '<use xlink:href="#icon"/></svg>';
+
+		$result = $this->sanitizer->sanitize($svg);
+
+		$this->assertStringContainsString('#icon', $result);
+	}
+
+	public function testRejectsDoctypeAndEntities(): void {
+		$svg = '<!DOCTYPE svg [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>'
+			. '<svg xmlns="http://www.w3.org/2000/svg"><rect/></svg>';
+
+		$this->assertSame('', $this->sanitizer->sanitize($svg));
+	}
+
+	public function testReturnsEmptyForInvalidMarkup(): void {
+		$this->assertSame('', $this->sanitizer->sanitize('this is not <<< svg'));
+		$this->assertSame('', $this->sanitizer->sanitize(''));
+	}
+
+	public function testKeepsSafeGraphics(): void {
+		$svg = '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 10 10">'
+			. '<circle cx="5" cy="5" r="4" fill="red"/></svg>';
+
+		$result = $this->sanitizer->sanitize($svg);
+
+		$this->assertStringContainsString('<circle', $result);
+		$this->assertStringContainsString('fill="red"', $result);
+	}
+}