This release includes 8 security fixes for security teams reviewing exposed deployments.
Affected surfaces
ReleasePort's take
Light signalRoundCube 1.7.1 patches multiple pre‑authentication security flaws including XSS, CSS injection via SVG, SQL injection in the virtuser_query plugin, SSRF bypasses, remote image rendering bypass, and arbitrary file deletion through session poisoning.
Why it matters: All seven critical vulnerabilities affect core services; upgrade to version 1.7.1 immediately to mitigate pre‑auth code execution and data leakage risks.
Summary
AI summaryUpdates import, Enigma, and Managesieve across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Fix stored XSS/HTML/CSS injection in draft restore dialog subject field Fix stored XSS/HTML/CSS injection in draft restore dialog subject field Source: llm_adapter@2026-05-24 Confidence: low |
— |
| Security | Medium |
Fix CSS injection bypass via SVG <animate attributeName="style"> in HTML sanitizer Fix CSS injection bypass via SVG <animate attributeName="style"> in HTML sanitizer Source: llm_adapter@2026-05-24 Confidence: low |
— |
| Security | Medium |
Fix pre‑auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass Fix pre‑auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass Source: llm_adapter@2026-05-24 Confidence: low |
— |
| Security | Medium |
Fix SSRF bypass via specific local address URLs Fix SSRF bypass via specific local address URLs Source: llm_adapter@2026-05-24 Confidence: low |
— |
| Security | Medium |
Fix bypass of remote image blocking via CSS var() Fix bypass of remote image blocking via CSS var() Source: llm_adapter@2026-05-24 Confidence: low |
— |
| Security | Medium |
Fix local/private URL fetch bypass when remote resources disallowed Fix local/private URL fetch bypass when remote resources disallowed Source: llm_adapter@2026-05-24 Confidence: low |
— |
| Security | Medium |
Fix pre‑auth arbitrary file delete via redis/memcache session poisoning bypass Fix pre‑auth arbitrary file delete via redis/memcache session poisoning bypass Source: llm_adapter@2026-05-24 Confidence: low |
— |
| Security | Medium |
Remove code evaluation support in LDAP autovalues option to prevent code injection Remove code evaluation support in LDAP autovalues option to prevent code injection Source: llm_adapter@2026-05-24 Confidence: low |
— |
| Feature | Medium |
Add automatic public key lookup (HKP v1) support in Enigma plugin Add automatic public key lookup (HKP v1) support in Enigma plugin Source: llm_adapter@2026-05-24 Confidence: high |
— |
| Bugfix | Medium |
Fix error when mail message contains duplicate List-Id header in Managesieve Fix error when mail message contains duplicate List-Id header in Managesieve Source: llm_adapter@2026-05-24 Confidence: low |
— |
| Bugfix | Low |
Ensure "has:attachment" search uses $HasAttachment/$HasNoAttachment keywords Ensure "has:attachment" search uses $HasAttachment/$HasNoAttachment keywords Source: granite4.1:30b@2026-05-24-audit Confidence: low |
— |
| Bugfix | Low |
Prevent potential too long value in IMAP ID command Prevent potential too long value in IMAP ID command Source: granite4.1:30b@2026-05-24-audit Confidence: low |
— |
| Bugfix | Low |
Fix redis/memcache disconnection during rcube::sleep() Fix redis/memcache disconnection during rcube::sleep() Source: granite4.1:30b@2026-05-24-audit Confidence: low |
— |
| Bugfix | Low |
Allow static resources (e.g., skin_logo) to be placed inside public_html directory Allow static resources (e.g., skin_logo) to be placed inside public_html directory Source: granite4.1:30b@2026-05-24-audit Confidence: low |
— |
| Bugfix | Low |
Use REQUEST_URI as fallback when PATH_INFO not set in static.php Use REQUEST_URI as fallback when PATH_INFO not set in static.php Source: granite4.1:30b@2026-05-24-audit Confidence: low |
— |
| Bugfix | Low |
Fix assets_path feature and remove dependency on PATH_INFO Fix assets_path feature and remove dependency on PATH_INFO Source: granite4.1:30b@2026-05-24-audit Confidence: low |
— |
| Bugfix | Low |
Fix MySQL upgrade for MySQL < 8.0 and MariaDB < 10.5.3 Fix MySQL upgrade for MySQL < 8.0 and MariaDB < 10.5.3 Source: granite4.1:30b@2026-05-24-audit Confidence: low |
— |
Full changelog
This is a security update to the stable version 1.7 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
- Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog, reported by zazy
- Fix CSS injection bypass in HTML sanitizer via SVG
<animate attributeName="style">, reported by wooseokdotkim - Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass, reported by skull
- Fix SSRF bypass via specific local address URLs
- Fix local/private URL fetch bypass when remote resources were not allowed, reported by Orange Cyberdefense Vulnerability Disclosure Team
- Fix bypass of remote image blocking via CSS var(), reported by Geame
- Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass, reported by valent1
- Fix code injection vulnerability - remove support for code evaluation in LDAP
autovaluesoption, reported by Glendaenri
This version is considered stable and we recommend to update all productive installations of Roundcube 1.7.x with it. Please do backup your data before updating!
CHANGELOG
- Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314)
- Managesieve: Fix error when a mail message contains duplicate List-Id header (#10186)
- Clarified Elastic installation instructions (#10163)
- Added HTMLFormElement.requestSubmit() polyfill for older browsers (#10179)
- Fix so "has:attachment" search uses $HasAttachment/$HasNoAttachment keywords (#10168)
- Fix potential too long value in IMAP ID command (#10136)
- Fix redis/memcache disconnection in rcube::sleep() (#10127)
- Fix so static resources, e.g. skin_logo can be put inside the public_html directory (#10160)
- Fix so
REQUEST_URIis used as a fallback ifPATH_INFOis not set in static.php (#10181) - Fix
assets_pathfeature and remove dependency onPATH_INFO(#10185) - Fix MySQL upgrade on MySQL < 8.0 and MariaDB < 10.5.3 (#10188)
- Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
- Security: Fix CSS injection bypass in HTML sanitizer via SVG
<animate attributeName="style"> - Security: Fix pre-auth SQL injection in
virtuser_queryplugin via preg_replace backslash escape bypass - Security: Fix SSRF bypass via specific local address URLs
- Security: Fix bypass of remote image blocking via CSS var()
- Security: Fix local/private URL fetch bypass when remote resources were not allowed
- Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
- Security: Fix code injection vulnerability - remove support for code evaluation in LDAP
autovaluesoption
Security Fixes
- CVE not specified — fixes stored XSS/HTML/CSS injection in draft restore dialog subject field
- CVE not specified — fixes CSS injection bypass via SVG ` ` in HTML sanitizer
- CVE not specified — fixes pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape
- CVE not specified — fixes SSRF bypass via specific local address URLs
- CVE not specified — fixes local/private URL fetch bypass when remote resources were disallowed
- CVE not specified — fixes bypass of remote image blocking via CSS var()
- CVE not specified — fixes pre-auth arbitrary file delete via redis/memcache session poisoning
- CVE not specified — removes code evaluation support in LDAP `autovalues` option to prevent code injection
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]