Roundcube 1.6.16
Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog, reported by zazy
Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">, reported by wooseokdotkim
Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass, reported by skull
Fix SSRF bypass via specific local address URLs
Fix local/private URL fetch bypass when remote resources were not allowed, reported by Orange Cyberdefense Vulnerability Disclosure Team
Fix bypass of remote image blocking via CSS var(), reported by Geame
Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass, reported by valent1
Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option, reported by Glendaenri
Details:
https://github.com/roundcube/roundcubem ... tag/1.6.16
Roundcube 1.6.16 security fixes [SOLVED]
Re: Roundcube 1.6.16 security fixes
Hello,
for this, will a script appear and we run it automatically or does Roundcube have to be updated manually?
I find the update steps on the forum??, I don't want to break anything on the server, I'm new to the forum, and a KeyHelp user, after 9 years of CWP Panel.
THX!
for this, will a script appear and we run it automatically or does Roundcube have to be updated manually?
I find the update steps on the forum??, I don't want to break anything on the server, I'm new to the forum, and a KeyHelp user, after 9 years of CWP Panel.
THX!
Re: Roundcube 1.6.16 security fixes [SOLVED]
This will be included w/ the upcoming panel update; it is just an informational note. The developer will address it as soon as possible.Ghoste wrote: ↑Tue 26. May 2026, 14:19 Hello,
for this, will a script appear and we run it automatically or does Roundcube have to be updated manually?
I find the update steps on the forum??, I don't want to break anything on the server, I'm new to the forum, and a KeyHelp user, after 9 years of CWP Panel.
THX!
Do not update RC by yourself unless you know exactly what to do.
Re: Roundcube 1.6.16 security fixes
Thank you Ralph,
I appreciate the promptness with which you responded to the requests, we are waiting for the automatic update from KeyHelp.
I appreciate the promptness with which you responded to the requests, we are waiting for the automatic update from KeyHelp.
Re: Roundcube 1.6.16 security fixes
Thanks, but I'm not part of the support team
You'd be better off thanking the Developer and the Keyhelp Team.