[SECURITY] Fedora 43 Update: roundcubemail-1.6.14-1.fc43

RoundCube Webmail is a browser-based multilingual IMAP client with an application-like user interface. It provides full functionality you expect from an e-mail client, including MIME support, address book, folder manipulation, message searching and spell checking. RoundCube Webmail is written in...

[SECURITY] Fedora 44 Update: roundcubemail-1.7~rc5-1.fc44

RoundCube Webmail is a browser-based multilingual IMAP client with an application-like user interface. It provides full functionality you expect from an e-mail client, including MIME support, address book, folder manipulation, message searching and spell checking. RoundCube Webmail is written in...

Fedora 44 : roundcubemail (2026-9b0f520716)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-9b0f520716 advisory. Version 1.7-rc5 - Password: Add nt-binary hashing method 10096 - Fix URL matching for domain names with port numbers 10105 - Fix PHP fatal error when using...

Fedora 42 : roundcubemail (2026-c283cce7fd)

The remote Fedora 42 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-c283cce7fd advisory. Version 1.6.14 Fix Postgres connection using IPv6 address 10104 Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache...

Fedora 43 : roundcubemail (2026-2decd38070)

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-2decd38070 advisory. Version 1.6.14 Fix Postgres connection using IPv6 address 10104 Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache...

Mageia: Security Advisory (MGASA-2026-0065)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

MGASA-2026-0065 Updated roundcubemail packages fix security vulnerabilities

Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler, reported by y0us. Fix bug where a password could get changed without providing the old password, reported by flydragon777. Fix IMAP Injection + CSRF bypass in mail search, reported by Martila Security...

FreeBSD : Roundcube -- Multiple vulnerabilities (c5b93cb5-2363-11f1-81da-8447094a420f)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the c5b93cb5-2363-11f1-81da-8447094a420f advisory. The Roundcube project reports: pre-auth arbitrary file write via unsafe deserialization in redis/memcac...

Ubuntu: Security Advisory (USN-8097-2)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

USN-8097-2 roundcube regression

USN-8097-1 fixed a vulnerability in roundcube. The update caused a regression affecting the HTML sanitizer, preventing Roundcube from rendering any email message body. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that Roundcube...

USN-8097-2: roundcube regression

USN-8097-1 fixed a vulnerability in roundcube. The update caused a regression affecting the HTML sanitizer, preventing Roundcube from rendering any email message body. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that Roundcube...

PT-2026-29979

Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions 1.6.0 through 1.6.13 Description An issue exists in Roundcube Webmail where insufficient Cascading Style Sheets CSS sanitization in HTML email messages could lead to Server-Side Request Forgery SSRF or Information...

PT-2026-29984

Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions prior to 1.5.15 and prior to 1.6.15 Description A flaw exists in Roundcube Webmail that allows bypassing the remote image blocking feature through specially crafted SVG content within email messages. This bypass can...

Ubuntu: Security Advisory (USN-8097-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS : Roundcube Webmail vulnerabilities (USN-8097-1)

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-8097-1 advisory. It was discovered that Roundcube Webmail did not properly sanitize the animate tag within SVG documents. An attacker could...

USN-8097-1 roundcube vulnerabilities

It was discovered that Roundcube Webmail did not properly sanitize the animate tag within SVG documents. An attacker could possibly use this issue to cause a cross-site scripting attack...

USN-8097-1: Roundcube Webmail vulnerabilities

It was discovered that Roundcube Webmail did not properly sanitize the animate tag within SVG documents. An attacker could possibly use this issue to cause a cross-site scripting attack...

Nextcloud: position: fixed !important bypasses CSS sanitizer's fixed-position mitigation, enabling full-viewport phishing overlays.

A vulnerability was discovered in the CSS sanitization process of the Roundcube webmail application. The sanitizer failed to properly handle the "position: fixed !important" CSS declaration, allowing an attacker to bypass the mitigation for fixed-position overlays. This could enable the creation ...

Nextcloud: Unquoted body background attribute enables CSS injection that bypasses remote image blocking

A vulnerability was discovered in Roundcube's HTML sanitizer that enabled CSS injection when the allowremote option was set to false. The sanitizer failed to quote the value of the background attribute from the email's element, allowing a crafted data: URI to terminate the url function and inject...

Nextcloud: SMIL values and by attributes bypass remote image blocking via unvalidated resource-loading animations, enabling email tracking without consent

A vulnerability was discovered in the HTML sanitizer of the Roundcube webmail client. The vulnerability allowed attackers to bypass the "Block remote images" security feature by using SMIL animation attributes to load arbitrary external resources without validation. This could have enabled email...