Addendum: versions 1.5.15/1.6.15 were released March 29 that correct regressions introduced in 1.5.14/1.6.14 and fix one more cross-site issue:
* SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm. Announcement is at <https://roundcube.net/news/2026/03/29/security-updates-1.7-rc6-1.6.15-1.5.15>. This appears to be CVE-2026-35545. -Valtteri
