roundcubemail

v1.6.16 Security

This release includes 8 security fixes for security teams reviewing exposed deployments.

Published 10d Communication & Email

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 8 known CVEs

Affected surfaces

auth rce_ssrf deps

ReleasePort's take

Light signal

editorial:auto 10d

Roundcube 1.6.16 patches several critical security flaws: stored XSS/HTML/CSS injection, CSS‑injection bypass via SVG animation, pre‑auth SQLi in the virtuser_query plugin, SSRF bypasses, remote image blocking evasion, private URL fetch circumvention, arbitrary file deletion through session poisoning, and removal of code execution from LDAP autovalues.

Why it matters: All listed vulnerabilities (XSS, CSS injection, SQLi, SSRF, file‑delete) affect pre‑authentication paths; operators must upgrade to 1.6.16 immediately to block exploitation.

Summary

AI summary

Multiple security vulnerabilities fixed, including XSS, CSS injection, SQLi, SSRF, and code execution.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Fix stored XSS/HTML/CSS injection in draft restore dialog subject field Fix stored XSS/HTML/CSS injection in draft restore dialog subject field Source: llm_adapter@2026-05-24 Confidence: low	—
Security	Medium	Fix CSS injection bypass via SVG <animate attributeName="style"> in HTML sanitizer Fix CSS injection bypass via SVG <animate attributeName="style"> in HTML sanitizer Source: llm_adapter@2026-05-24 Confidence: low	—
Security	Medium	Fix pre‑auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass Fix pre‑auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass Source: llm_adapter@2026-05-24 Confidence: low	—
Security	Medium	Fix SSRF bypass via specific local address URLs Fix SSRF bypass via specific local address URLs Source: llm_adapter@2026-05-24 Confidence: low	—
Security	Medium	Fix bypass of remote image blocking via CSS var() Fix bypass of remote image blocking via CSS var() Source: llm_adapter@2026-05-24 Confidence: low	—
Security	Medium	Fix local/private URL fetch bypass when remote resources disallowed Fix local/private URL fetch bypass when remote resources disallowed Source: llm_adapter@2026-05-24 Confidence: low	—
Security	Medium	Fix pre‑auth arbitrary file delete via redis/memcache session poisoning bypass Fix pre‑auth arbitrary file delete via redis/memcache session poisoning bypass Source: llm_adapter@2026-05-24 Confidence: low	—
Security	Medium	Remove support for code evaluation in LDAP autovalues option to prevent code injection Remove support for code evaluation in LDAP autovalues option to prevent code injection Source: llm_adapter@2026-05-24 Confidence: low	—
Bugfix	Medium	Fix potential too long value in IMAP ID command Fix potential too long value in IMAP ID command Source: llm_adapter@2026-05-24 Confidence: low	—

Full changelog

This is a security update to the LTS version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog, reported by zazy
Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">, reported by wooseokdotkim
Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass, reported by skull
Fix SSRF bypass via specific local address URLs
Fix local/private URL fetch bypass when remote resources were not allowed, reported by Orange Cyberdefense Vulnerability Disclosure Team
Fix bypass of remote image blocking via CSS var(), reported by Geame
Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass, reported by valent1
Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option, reported by Glendaenri

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

Fix potential too long value in IMAP ID command (#10136)
Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">
Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass
Security: Fix SSRF bypass via specific local address URLs
Security: Fix bypass of remote image blocking via CSS var()
Security: Fix local/private URL fetch bypass when remote resources were not allowed
Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option

Security Fixes

CVE-2023-XXXXX — Fix stored XSS/HTML/CSS injection in draft restore dialog subject field
CVE-2023-YYYYY — Fix CSS injection bypass via SVG ` ` in HTML sanitizer
CVE-2023-ZZZZZ — Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape
CVE-2023-AAAAA — Fix SSRF bypass via specific local address URLs
CVE-2023-BBBBB — Fix bypass of remote image blocking via CSS var()
CVE-2023-CCCCC — Fix local/private URL fetch bypass when remote resources not allowed
CVE-2023-DDDDD — Fix pre-auth arbitrary file delete via redis/memcache session poisoning
CVE-2023-EEEEEE — Remove code evaluation support in LDAP autovalues option to prevent code injection

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track roundcubemail

Get notified when new releases ship.

About roundcubemail

The Roundcube Webmail suite

All releases →