This release adds 3 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+4 more
ReleasePort's take
Light signalVersion 1.6.5 introduces mailto: and webcal: protocol handling with account selection, import‑or‑subscribe decisions, and session reuse for PWAs.
Why it matters: Test these new protocol flows in a development environment before deploying to production; no urgent migration or patch is required.
Summary
AI summaryAdded mailto: and webcal: protocol handling with account picker, import-or-subscribe choice, and session reuse.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Medium |
Register as system handler for mailto: and webcal: links from protocol handler settings page Register as system handler for mailto: and webcal: links from protocol handler settings page Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Account picker for protocol links when multiple accounts are connected Account picker for protocol links when multiple accounts are connected Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Import-or-subscribe choice for detected webcal calendars Import-or-subscribe choice for detected webcal calendars Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Reuse open PWA/session for mailto: links instead of always opening a new tab Reuse open PWA/session for mailto: links instead of always opening a new tab Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Route account avatars through shared Avatar component for consistent fallbacks Route account avatars through shared Avatar component for consistent fallbacks Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Support HTTP basic auth in iCal subscription URLs Support HTTP basic auth in iCal subscription URLs Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Honor admin-uploaded favicon in root metadata Honor admin-uploaded favicon in root metadata Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Honor NEXT_PUBLIC_BASE_PATH in admin sidebar nav links Honor NEXT_PUBLIC_BASE_PATH in admin sidebar nav links Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Broaden body font stack for Thai and other non-Latin scripts in subjects, sender names, and chrome Broaden body font stack for Thai and other non-Latin scripts in subjects, sender names, and chrome Source: llm_adapter@2026-05-21 Confidence: low |
— |
Full changelog
1.6.5 (2026-05-13)
Features
- Protocol: Register as the system handler for
mailto:andwebcal:links from a new protocol handler settings page - Protocol: Account picker for protocol links when multiple accounts are connected
- Protocol: Import-or-subscribe choice for detected webcal calendars
- Protocol: Reuse the open PWA/session for
mailto:links instead of always opening a new tab - UI: Route account avatars through the shared
Avatarcomponent for consistent fallbacks (#278)
Fixes
- Calendar: Support HTTP basic auth in iCal subscription URLs (#275)
- Admin: Honor admin-uploaded favicon in root metadata (#274)
- Admin: Honor
NEXT_PUBLIC_BASE_PATHin admin sidebar nav links (#271) - UI: Broaden body font stack so Thai (and other non-Latin scripts) render correctly in subjects, sender names, and other chrome (#265)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About webmail
Webmail built for the 21st Century. A modern, self-hosted email client for Stalwart Mail Server powered by the JMAP protocol. Email, calendar, contacts and files. Fast, private, and open source.
Related context
Earlier breaking changes
- v1.7.0 Server‑managed plugin bundles must be Ed25519‑signed and admin‑approved before loading.
- v1.7.0 Bundle hash is now full SHA-256; legacy hashes auto-migrated.
- v1.7.0 Server-managed bundles require Ed25519 signature verification.
- v1.7.0 Plugins run in sandboxed iframe with postMessage RPC bridge.
Beta — feedback welcome: [email protected]