Announce

announce@lists.roundcube.net

154 discussions

[RCD] Security updates 1.7.1 and 1.6.16 released
by Aleksander Machniak 24 May '26

24 May '26

Here's the same message with corrected subject. Sorry about that. We just published security updates to the 1.7 and 1.6 LTS versions of Roundcube Webmail. They both contain fixes for recently reported security vulnerabilities. Security fixes: - Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog, reported by zazy - Fix CSS injection bypass in HTML sanitizer via SVG `<animate attributeName="style">`, reported by wooseokdotkim - Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass, reported by skull - Fix SSRF bypass via specific local address URLs - Fix local/private URL fetch bypass when remote resources were not allowed, reported by Orange Cyberdefense Vulnerability Disclosure Team - Fix bypass of remote image blocking via CSS var(), reported by Geame - Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass, reported by valent1 - Fix code injection vulnerability - remove support for code evaluation in LDAP `autovalues` option, reported by Glendaenri See the full changelogs in the release notes on the Github download pages for the updated versions 1.7.1 and 1.6.16. https://github.com/roundcube/roundcubemail/releases/tag/1.7.1 https://github.com/roundcube/roundcubemail/releases/tag/1.6.16 We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.7.x with this new versions. -- Alec

1 0

[RCD] Security updates 1.5.13 and 1.6.13 released
by Aleksander Machniak 24 May '26

24 May '26

We just published security updates to the 1.7 and 1.6 LTS versions of Roundcube Webmail. They both contain fixes for recently reported security vulnerabilities. Security fixes: - Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog, reported by zazy - Fix CSS injection bypass in HTML sanitizer via SVG `<animate attributeName="style">`, reported by wooseokdotkim - Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass, reported by skull - Fix SSRF bypass via specific local address URLs - Fix local/private URL fetch bypass when remote resources were not allowed, reported by Orange Cyberdefense Vulnerability Disclosure Team - Fix bypass of remote image blocking via CSS var(), reported by Geame - Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass, reported by valent1 - Fix code injection vulnerability - remove support for code evaluation in LDAP `autovalues` option, reported by Glendaenri See the full changelogs in the release notes on the Github download pages for the updated versions 1.7.1 and 1.6.16. https://github.com/roundcube/roundcubemail/releases/tag/1.7.1 https://github.com/roundcube/roundcubemail/releases/tag/1.6.16 We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.7.x with this new versions. -- Alec

1 0

Roundcube Webmail 1.7.0 released
by Aleksander Machniak 10 May '26

10 May '26

This is the stable release of the next major version 1.7 of Roundcube Webmail. After almost four years of development we introduce a few breaking changes, some new features, and bring support for recent PHP versions. With automated code style and quality checks, removed code bloat and updated dependencies, we hope for even more codebase quality. Some noteworthy changes are: - Mandatory `public_html/` entry-point for HTTP servers, protecting all installations better. - Improved OAuth2/OIDC support (e.g. support for OIDC discovery, OIDC logout). - Markdown mail rendering and composing. - A quick actions mouse-over menu on the messages list. - Advanced mail search syntax. ## Breaking Changes - Dropped support for PHP < 8.1. - Dropped support for Internet Explorer. - Dropped support for MS SQL Server and Oracle. - `public_html/` entry-point made mandatory, all static resources are served via `public_html/static.php`. - Removed `apc` cache driver (replaced by `apcu` cache driver). - Changed `smtp_log` option default value to `false`. - Removed `contact_search_name` option in favor of `contactlist_name_template`. - Replaced session property `changed` by `expires_at`. - Removed the (insecure) virtualmin password driver. This release is considered stable and we encourage you to update your productive installations after carefully testing the upgrade scenario. With the release of Roundcube 1.7.0, the previous stable release branch 1.6.x changes into an LTS (low maintenance) mode which means it will only receive important security updates. The 1.5.x series is no longer supported and maintained. And don't forget to backup your data before installing it! You can download it from https://roundcube.net Cheers, Alec

1 0

[RCD] Security updates 1.6.15 and 1.5.15 (and 1.7-rc6) released
by Aleksander Machniak 29 Mar '26

29 Mar '26

We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail, as well as a release candidate for coming 1.7. It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability. ## Security fixes - SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm. See the full changelogs in the release notes on the Github download pages for the updated versions - https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc6 - https://github.com/roundcube/roundcubemail/releases/tag/1.6.15 - https://github.com/roundcube/roundcubemail/releases/tag/1.5.15 We strongly recommend to update your productive installations of Roundcube with this new versions. -- Alec

1 0

[RCD] Security updates 1.6.14 and 1.5.14 (and 1.7-rc5) released
by Aleksander Machniak 18 Mar '26

18 Mar '26

We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail, as well as a release candidate for coming 1.7. They contain fixes for recently reported set of security vulnerabilities. ## Security fixes - Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler, reported by y0us. - Fix bug where a password could get changed without providing the old password, reported by flydragon777. - Fix IMAP Injection + CSRF bypass in mail search, reported by Martila Security Research Team. - Fix remote image blocking bypass via various SVG animate attributes, reported by nullcathedral. - Fix remote image blocking bypass via a crafted body background attribute, reported by nullcathedral. - Fix fixed position mitigation bypass via use of !important, reported by nullcathedral. - Fix XSS issue in a HTML attachment preview, reported by aikido_security. - Fix SSRF + Information Disclosure via stylesheet links to a local network hosts, reported by Georgios Tsimpidas (aka Frey), Security Researcher at https://i0.rs/. See the full changelogs in the release notes on the Github download pages for the updated versions - https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5 - https://github.com/roundcube/roundcubemail/releases/tag/1.6.14 - https://github.com/roundcube/roundcubemail/releases/tag/1.5.14 We strongly recommend to update your productive installations of Roundcube with this new versions. -- Alec

1 0

Roundcube webmail 1.7 RC4 released
by Pablo Zimdahl 14 Feb '26

14 Feb '26

We just published the fourth release candidate for the next major version 1.7 of Roundcube webmail. This release fixes two minor issues, it's mostly published to fix a file permission problem in the previous release v1.7-rc3. The changes are: - Ensure correct file permissions when building a release. - Installer: Fix broken link to download the created configuration file (#10092) The tarballs can be downloaded [from roundcube.net/download](https://roundcube.net/download/). Or directly from [the release page at github.com](https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc4). We believe it is production ready, but we recommend to test it on a separate environment. Migrate existing configs with either the `installto.sh` or the `update.sh` scripts. And don't forget to backup your data before installing it! Regards, Pablo -- Pablo Zimdahl Software Engineer oOo Nextcloud - Regain control over your data pablo.zimdahl(a)nextcloud.com nextcloud.com +49 711 25 24 28 90 Nextcloud GmbH Hauptmannsreute 44A, 70192 Stuttgart, Germany GF: Frank Karlitschek HRB 227086 (AG München)

1 0

Roundcube webmail 1.7 RC3 released
by Pablo Zimdahl 10 Feb '26

10 Feb '26

We just published the third release candidate for the next major version 1.7 of Roundcube webmail. This release fixes two security issues, and contains a few more fixes for several issues. The security fixes are: - Fix CSS injection vulnerability reported by CERT Polska. - Fix remote image blocking bypass via SVG content reported by nullcathedral. For the full changelog please see the release page: https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc3. The tarballs can be downloaded via roundcube.net: https://roundcube.net/download/ Or directly from the release page at github.com: https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc3 We believe it is production ready, but we recommend to test it on a separate environment. Migrate existing configs with either the `installto.sh` or the `update.sh` scripts. And don't forget to backup your data before installing it! Regards, Pablo -- Pablo Zimdahl Software Engineer oOo Nextcloud - Regain control over your data pablo.zimdahl(a)nextcloud.com nextcloud.com +49 711 25 24 28 90 Nextcloud GmbH Hauptmannsreute 44A, 70192 Stuttgart, Germany GF: Frank Karlitschek HRB 227086 (AG München)

1 0

Security updates 1.5.13 and 1.6.13 released
by Aleksander Machniak 08 Feb '26

08 Feb '26

We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They both contain fixes for recently reported two security vulnerabilities. Security fixes: - Fix CSS injection vulnerability reported by CERT Polska. - Fix remote image blocking bypass via SVG content reported by nullcathedral. See the full changelogs in the release notes on the Github download pages for the updated versions 1.6.13 and 1.5.13. https://github.com/roundcube/roundcubemail/releases/tag/1.6.13 https://github.com/roundcube/roundcubemail/releases/tag/1.5.13 We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions. -- Alec

1 0

Roundcube webmail 1.7 RC2 released
by Pablo Zimdahl 16 Dec '25

16 Dec '25

We just published the second release candidate for the next major version 1.7 of Roundcube webmail. This release fixes two security issues and one syntax error in a database migration file for Postgres databases. The changes are: - Fix Cross-Site-Scripting vulnerability via SVG’s animate tag reported by Valentin T., CrowdStrike. - Fix Information Disclosure vulnerability in the HTML style sanitizer reported by somerandomdev. - Fix syntax error in DDL scripts for Postgres (#10052) The tarballs can be downloaded from github.com or roundcube.net: https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc2 https://roundcube.net/download/ We believe it is production ready, but we recommend to test it on a separate environment. Existing setups can be migrated with either the `installto.sh` or the `update.sh` scripts. Please don't forget to backup your data before updating! Regards, Pablo -- Pablo Zimdahl Software Engineer oOo Nextcloud - Regain control over your data pablo.zimdahl(a)nextcloud.com nextcloud.com +49 711 25 24 28 90 Nextcloud GmbH Hauptmannsreute 44A, 70192 Stuttgart, Germany GF: Frank Karlitschek HRB 227086 (AG München)

1 0

Security updates 1.5.12 and 1.6.12 released
by Aleksander Machniak 14 Dec '25

14 Dec '25

We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They both contain fixes for recently reported two security vulnerabilities. Security fixes: - Fix Cross-Site-Scripting vulnerability via SVG's animate tag reported by Valentin T., CrowdStrike. - Fix Information Disclosure vulnerability in the HTML style sanitizer reported by somerandomdev. See the full changelogs in the release notes on the Github download pages for the updated versions 1.6.12 and 1.5.12. https://github.com/roundcube/roundcubemail/releases/tag/1.6.12 https://github.com/roundcube/roundcubemail/releases/tag/1.5.12 We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions. -- Alec

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Announce