Releases: roundcube/roundcubemail
Release list
Roundcube Webmail 1.7.2
This is a security update to the version 1.7 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
- Fix an infinite loop in TNEF (winmail.dat) decoder (#10193), reported by stafra.
- Fix various vulnerabilities in the password plugin using session-injected username, reported by Glendaenri and peppersghost.
- Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432], reported by Bohdan Kurinnoy, Samsung R&D Instit
- Fix SSRF bypass via specific local address URLs - two new cases, reported by Leenear.
- Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433], reported by Bohdan Kurinnoy, Samsung R&D Institute Ukraine (SRUKR).
- Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file, reported by h0rk1p.
This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!
CHANGELOG
- Add HEAD request handler to the
static.php - Fix so the
oauth_password_claimclaim is retrieved via token or userinfo request (#9631) - Fix bug where
static.phpwould return a 416 error on a specificRangerequest (#10194) - Fix bug where configured skin logo wasn't loaded via
static.phpresulting in 404 error (#10191) - Fix bug where installto.sh would fail if public_html folder does not exist in the target directory (#10202)
- Revert "Prefer 8bit over quoted-printable for HTML parts, when force_7bit is disabled (#8477)" (#10198)
- Fix incorrect unfolding of folded lines when importing vCard 2.1 contacts (#9647)
- Fix bug where Imagick could leave large temporary files on failure (#10230)
- Fix bug where redis/memcache session could have been updated more often than needed
- Fix support for untyped tokens in OIDC backchannel logout, require unset
nonce(#10097) - Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193)
- Security: Fix various vulnerabilities in the password plugin using session-injected username
- Security: Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432]
- Security: Fix SSRF bypass via specific local address URLs - two new cases
- Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433]
- Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file
Roundcube Webmail 1.6.17
This is a security update to the LTS version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
- Fix an infinite loop in TNEF (winmail.dat) decoder (#10193), reported by stafra.
- Fix various vulnerabilities in the password plugin using session-injected username, reported by Glendaenri and peppersghost.
- Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432], reported by Bohdan Kurinnoy, Samsung R&D Instit
- Fix SSRF bypass via specific local address URLs - two new cases, reported by Leenear.
- Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433], reported by Bohdan Kurinnoy, Samsung R&D Institute Ukraine (SRUKR).
- Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file, reported by h0rk1p.
This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!
CHANGELOG
- Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314)
- Enigma: Kolab WOAT Support (#8626)
- Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193)
- Security: Fix various vulnerabilities in the password plugin using session-injected username
- Security: Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432]
- Security: Fix SSRF bypass via specific local address URLs - two new cases
- Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433]
- Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file
Roundcube Webmail 1.7.1
This is a security update to the stable version 1.7 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
- Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog, reported by Anand Jogawade (zazy)
- Fix CSS injection bypass in HTML sanitizer via SVG
<animate attributeName="style">, reported by wooseokdotkim - Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass, reported by skull
- Fix SSRF bypass via specific local address URLs
- Fix local/private URL fetch bypass when remote resources were not allowed, reported by Orange Cyberdefense Vulnerability Disclosure Team
- Fix bypass of remote image blocking via CSS var(), reported by Geame
- Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass, reported by valent1
- Fix code injection vulnerability - remove support for code evaluation in LDAP
autovaluesoption, reported by Glendaenri
This version is considered stable and we recommend to update all productive installations of Roundcube 1.7.x with it. Please do backup your data before updating!
CHANGELOG
- Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314)
- Managesieve: Fix error when a mail message contains duplicate List-Id header (#10186)
- Clarified Elastic installation instructions (#10163)
- Added HTMLFormElement.requestSubmit() polyfill for older browsers (#10179)
- Fix so "has:attachment" search uses $HasAttachment/$HasNoAttachment keywords (#10168)
- Fix potential too long value in IMAP ID command (#10136)
- Fix redis/memcache disconnection in rcube::sleep() (#10127)
- Fix so static resources, e.g. skin_logo can be put inside the public_html directory (#10160)
- Fix so
REQUEST_URIis used as a fallback ifPATH_INFOis not set in static.php (#10181) - Fix
assets_pathfeature and remove dependency onPATH_INFO(#10185) - Fix MySQL upgrade on MySQL < 8.0 and MariaDB < 10.5.3 (#10188)
- Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
- Security: Fix CSS injection bypass in HTML sanitizer via SVG
<animate attributeName="style"> - Security: Fix pre-auth SQL injection in
virtuser_queryplugin via preg_replace backslash escape bypass - Security: Fix SSRF bypass via specific local address URLs
- Security: Fix bypass of remote image blocking via CSS var()
- Security: Fix local/private URL fetch bypass when remote resources were not allowed
- Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
- Security: Fix code injection vulnerability - remove support for code evaluation in LDAP
autovaluesoption
Roundcube Webmail 1.6.16
This is a security update to the LTS version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
- Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog, reported by Anand Jogawade (zazy)
- Fix CSS injection bypass in HTML sanitizer via SVG
<animate attributeName="style">, reported by wooseokdotkim - Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass, reported by skull
- Fix SSRF bypass via specific local address URLs
- Fix local/private URL fetch bypass when remote resources were not allowed, reported by Orange Cyberdefense Vulnerability Disclosure Team
- Fix bypass of remote image blocking via CSS var(), reported by Geame
- Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass, reported by valent1
- Fix code injection vulnerability - remove support for code evaluation in LDAP
autovaluesoption, reported by Glendaenri
This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!
CHANGELOG
- Fix potential too long value in IMAP ID command (#10136)
- Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
- Security: Fix CSS injection bypass in HTML sanitizer via SVG
<animate attributeName="style"> - Security: Fix pre-auth SQL injection in
virtuser_queryplugin via preg_replace backslash escape bypass - Security: Fix SSRF bypass via specific local address URLs
- Security: Fix bypass of remote image blocking via CSS var()
- Security: Fix local/private URL fetch bypass when remote resources were not allowed
- Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
- Security: Fix code injection vulnerability - remove support for code evaluation in LDAP
autovaluesoption
Roundcube Webmail 1.7.0
This is the stable release of the next major version 1.7 of Roundcube Webmail.
After almost four years of development we introduce a few breaking changes, some new features, and bring support for recent PHP versions. With automated code style and quality checks, removed code bloat and updated dependencies, we hope for even more codebase quality.
Some noteworthy changes are:
- Mandatory
public_html/entry-point for HTTP servers, protecting all installations better. - Improved OAuth2/OIDC support (e.g. support for OIDC discovery, OIDC logout).
- Markdown mail rendering and composing.
- A quick actions mouse-over menu on the messages list.
- Advanced mail search syntax.
Breaking Changes
- Dropped support for PHP < 8.1.
- Dropped support for Internet Explorer.
- Dropped support for MS SQL Server and Oracle.
public_html/entry-point made mandatory, all static resources are served viapublic_html/static.php.- Removed
apccache driver (replaced byapcucache driver). - Changed
smtp_logoption default value tofalse. - Removed
contact_search_nameoption in favor ofcontactlist_name_template. - Replaced session property
changedbyexpires_at. - Removed the (insecure) virtualmin password driver.
This release is considered stable and we encourage you to update your productive installations after carefully testing the upgrade scenario. Download it from roundcube.net.
With the release of Roundcube 1.7.0, the previous stable release branch 1.6.x changes into an LTS (low maintenance) mode which means it will only receive important security updates. The 1.5.x series is no longer supported and maintained.
And don't forget to backup your data before installing it!
Changelog since 1.7-rc6
Roundcube Webmail 1.6.15
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability:
- SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.
This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!
CHANGELOG
Roundcube Webmail 1.5.15
This is a security update to the stable version 1.5 of Roundcube Webmail.
It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability:
- SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.
This version is considered stable and we recommend to update all productive installations of Roundcube 1.5.x with it. Please do backup your data before updating!
CHANGELOG
- Fix so distribution packages (and composer.json) don't include development dependencies
- Fix regression where mail search would fail on non-ascii search criteria (#10121)
- Fix regression where some data url images could get ignored/lost (#10128)
- Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke
Roundcube Webmail 1.7 RC6
This is hopefully the last release candidate for the next major version 1.7 of Roundcube Webmail.
It provides a fix to recently reported security vulnerability:
- SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.
We believe it is production ready, but we recommend to test it on a separate environment.
Migrate existing configs with either the installto.sh or the update.sh scripts.
And don't forget to backup your data before installing it!
CHANGELOG
- Added support for arrays in smtp_user and smtp_pass config options (#10083)
- Added system health checker CLI script (#10106)
- Stricter recognition of an Ajax request (#10118)
- Password: Added Stalwart driver (#10114)
- Fix regression where some data url images could get ignored/lost (#10128)
- Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke
Roundcube Webmail 1.6.14
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
- Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler, reported by y0us.
- Fix bug where a password could get changed without providing the old password, reported by flydragon777.
- Fix IMAP Injection + CSRF bypass in mail search, reported by Martila Security Research Team.
- Fix remote image blocking bypass via various SVG animate attributes, reported by nullcathedral.
- Fix remote image blocking bypass via a crafted body background attribute, reported by nullcathedral.
- Fix fixed position mitigation bypass via use of !important, reported by nullcathedral.
- Fix XSS issue in a HTML attachment preview, reported by aikido_security.
- Fix SSRF + Information Disclosure via stylesheet links to a local network hosts, reported by Georgios Tsimpidas (aka Frey), Security Researcher at https://i0.rs/.
This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!
CHANGELOG
- Fix Postgres connection using IPv6 address (#10104)
- Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
- Security: Fix bug where a password could get changed without providing the old password
- Security: Fix IMAP Injection + CSRF bypass in mail search
- Security: Fix remote image blocking bypass via various SVG animate attributes
- Security: Fix remote image blocking bypass via a crafted body background attribute
- Security: Fix fixed position mitigation bypass via use of !important
- Security: Fix XSS issue in a HTML attachment preview
- Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts
Roundcube Webmail 1.5.14
This is a security update to the stable version 1.5 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
- Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler, reported by y0us.
- Fix bug where a password could get changed without providing the old password, reported by flydragon777.
- Fix IMAP Injection + CSRF bypass in mail search, reported by Martila Security Research Team.
- Fix remote image blocking bypass via various SVG animate attributes, reported by nullcathedral.
- Fix remote image blocking bypass via a crafted body background attribute, reported by nullcathedral.
- Fix fixed position mitigation bypass via use of !important, reported by nullcathedral.
- Fix XSS issue in a HTML attachment preview, reported by aikido_security.
This version is considered stable and we recommend to update all productive installations of Roundcube 1.5.x with it, if you can't move to 1.6 yet. Please do backup your data before updating!
CHANGELOG
- Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
- Security: Fix bug where a password could get changed without providing the old password
- Security: Fix IMAP Injection + CSRF bypass in mail search
- Security: Fix remote image blocking bypass via various SVG animate attributes
- Security: Fix remote image blocking bypass via a crafted body background attribute
- Security: Fix fixed position mitigation bypass via use of !important
- Security: Fix XSS issue in a HTML attachment preview