Roundcube, a webmail frontend, released versions 1.6.16 and 1.7.1 on May 24 that
fix a variety of vulnerabilities. From the announcement
<https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1>:
* Fix stored XSS/HTML/CSS injection in subject field of the draft restore
dialog, reported by zazy
* Fix CSS injection bypass in HTML sanitizer via SVG <animate
attributeName="style">, reported by wooseokdotkim
* Fix pre-auth SQL injection in virtuser_query plugin via preg_replace
backslash escape bypass, reported by skull
* Fix SSRF bypass via specific local address URLs
* Fix local/private URL fetch bypass when remote resources were not allowed,
reported by Orange Cyberdefense Vulnerability Disclosure Team
* Fix bypass of remote image blocking via CSS var(), reported by Geame
* Fix pre-auth arbitrary file delete via redis/memcache session poisoning
bypass, reported by valent1
* Fix code injection vulnerability - remove support for code evaluation in
LDAP autovalues option, reported by Glendaenri
As usual, CVE numbers are not provided in the announcement. See for example
<https://security-tracker.debian.org/tracker/source-package/roundcube> for a
list if interested.
Support for the 1.5 LTS branch has ended, so presumably it is and will remain
vulnerable to some or all of these.
-Valtteri
