Roundcube, a PHP-based webmail frontend, released a series of security updates on Dec 12. From the release announcement:
* Fix Cross-Site-Scripting vulnerability via SVG’s animate tag reported by Valentin T., CrowdStrike. * Fix Information Disclosure vulnerability in the HTML style sanitizer reported by somerandomdev. There are fixed in the newly-released versions 1.5.12 and 1.6.12. While not mentioned in the official annoucement, these appear to be CVE-2025-68461 (7.2) and CVE-2025-68460 (7.2) respectively. Additionally a new 1.7 series (currently in beta) prerelease 1.7rc2 was announced fixing the same issues. Full announcements: https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12 https://roundcube.net/news/2025/12/15/roundcube-1.7-rc2-released -Valtteri
