We just published security updates to the 1.7 and 1.6 LTS versions of Roundcube Webmail. They both contain fixes for recently reported security vulnerabilities.
Security fixes:
by stafra.
session-injected username, reported by Glendaenri and peppersghost.
attachment-validation warning page [CVE-2026-54432], reported by Bohdan Kurinnoy, Samsung R&D Institute Ukraine (SRUKR).
reported by Leenear.
reported by Bohdan Kurinnoy, Samsung R&D Institute Ukraine (SRUKR).
file, reported by h0rk1p.
See the full changelogs in the release notes on the Github download pages for the updated versions.
https://github.com/roundcube/roundcubemail/releases/tag/1.7.2 https://github.com/roundcube/roundcubemail/releases/tag/1.6.17
We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.7.x with this new versions.