Roundcube Webmail 1.6.14
Repository: roundcube/roundcubemail · Tag: 1.6.14 · Commit: 27ec6cc · Released by: alecpl
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler, reported by y0us.
Fix bug where a password could get changed without providing the old password, reported by flydragon777.
Fix IMAP Injection + CSRF bypass in mail search, reported by Martila Security Research Team.
Fix remote image blocking bypass via various SVG animate attributes, reported by nullcathedral.
Fix remote image blocking bypass via a crafted body background attribute, reported by nullcathedral.
Fix fixed position mitigation bypass via use of !important, reported by nullcathedral.
Fix XSS issue in a HTML attachment preview, reported by aikido_security.
Fix SSRF + Information Disclosure via stylesheet links to a local network hosts, reported by Georgios Tsimpidas (aka Frey), Security Researcher at https://i0.rs/.
This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!
Ich weiß nicht ob damit in Zusammenhang steht und ob etwas dran ist ... jedenfalls wird hier über ein Roundcube Exploitation Toolkit berichtet:
https://thehackernews.com/2026/03/weekl ... Discovered