webmail

v1.6.7 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 17d Communication & Email

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

calendar contacts email email-client jmap mail

+4 more

nextjs self-hosted typescript webmail

Affected surfaces

auth deps

ReleasePort's take

Moderate signal

editorial:auto 9d

The release adds sandboxed HTML rendering for mail using a CSP meta tag and redacts sensitive configuration secrets from admin API responses.

Why it matters: Sandboxing mitigates email‑based script injection risks; secret redaction prevents accidental exposure of credentials in admin endpoints. No severity metric or deadline is specified.

Summary

AI summary

Mail HTML rendering sandboxed with CSP and admin API secrets redacted.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Mail: Sandbox thread email HTML in srcDoc iframe with a CSP meta tag Mail: Sandbox thread email HTML in srcDoc iframe with a CSP meta tag Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Security	Medium	Admin: Redact sensitive config secrets from the admin API response Admin: Redact sensitive config secrets from the admin API response Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Security	Medium	Admin: Make impersonation cookies session-only Admin: Make impersonation cookies session-only Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Feature
Feature	Medium	Contacts: vCard 4.0 parsing and generation support Contacts: vCard 4.0 parsing and generation support Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Feature	Medium	Admin: Master-user impersonation route with app-top-banner plugin slot rendered on every authenticated page Admin: Master-user impersonation route with app-top-banner plugin slot rendered on every authenticated page Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Feature	Medium	Admin: Allow admin password overwrite during setup recovery Admin: Allow admin password overwrite during setup recovery Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Feature	Medium	Setup: HTTPS requirement warning in the setup wizard Setup: HTTPS requirement warning in the setup wizard Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Feature	Medium	Mobile: Show details toggle and expandable panel for sender info Mobile: Show details toggle and expandable panel for sender info Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Feature	Medium	Plugins: Carry configSchema + settingsSchema through marketplace install Plugins: Carry configSchema + settingsSchema through marketplace install Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Performance	Medium	Calendar: Speed up calendar invitation banner load Calendar: Speed up calendar invitation banner load Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Performance	Medium	Build: Add outputFileTracingExcludes to reduce Turbopack memory tracing Build: Add outputFileTracingExcludes to reduce Turbopack memory tracing Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Deprecation	Medium	Plugins: Warn and block install when the app version is below the plugin's minAppVersion Plugins: Warn and block install when the app version is below the plugin's minAppVersion Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix
Bugfix	Medium	Auth: Read OAUTH_SCOPES at runtime instead of build time Auth: Read OAUTH_SCOPES at runtime instead of build time Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Auth: Use a relative Location header in redirects Auth: Use a relative Location header in redirects Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Auth: Adopt orphan session cookie on first SPA load Auth: Adopt orphan session cookie on first SPA load Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Mail: Per-account push subscriptions so multi-account notifications work Mail: Per-account push subscriptions so multi-account notifications work Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Mail: Close attachment preview when clicking outside the content area Mail: Close attachment preview when clicking outside the content area Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Mail: Pin quick reply to the bottom for short emails Mail: Pin quick reply to the bottom for short emails Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Mail: Show "no body content" instead of an infinite skeleton for bodyless emails Mail: Show "no body content" instead of an infinite skeleton for bodyless emails Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Mail: Show contact popup when clicking the sender name in the email header Mail: Show contact popup when clicking the sender name in the email header Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Mail: Prevent long addresses from overflowing email details columns Mail: Prevent long addresses from overflowing email details columns Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Mobile: Align quick reply with the mobile bottom toolbar Mobile: Align quick reply with the mobile bottom toolbar Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Mobile: Respect safe-area insets on mobile bottom bars Mobile: Respect safe-area insets on mobile bottom bars Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Mobile: Pad safe-area-inset-top Mobile: Pad safe-area-inset-top Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	UI: Apply dark background to the email content wrapper in dark mode UI: Apply dark background to the email content wrapper in dark mode Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	UI: Improve dark mode background colors in the email viewer UI: Improve dark mode background colors in the email viewer Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	UI: Add viewport export with initialScale: 1 UI: Add viewport export with initialScale: 1 Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	UI: Strip the Stalwart master-user % suffix from the displayed account UI: Strip the Stalwart master-user % suffix from the displayed account Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Refactor	Medium	Plugins: Register app-top-banner in plugin-store SLOT_NAMES Plugins: Register app-top-banner in plugin-store SLOT_NAMES Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Other	Medium	Add missing translation keys across 16 locales Add missing translation keys across 16 locales Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—

Full changelog

1.6.7 (2026-05-17)

Features

Contacts: vCard 4.0 parsing and generation support
Admin: Master-user impersonation route with app-top-banner plugin slot rendered on every authenticated page
Admin: Allow admin password overwrite during setup recovery
Setup: HTTPS requirement warning in the setup wizard
Mobile: Show details toggle and expandable panel for sender info

Performance

Calendar: Speed up calendar invitation banner load

Security

Mail: Sandbox thread email HTML in srcDoc iframe with a CSP <meta> tag
Admin: Redact sensitive config secrets from the admin API response
Admin: Make impersonation cookies session-only

Fixes

Auth: Read OAUTH_SCOPES at runtime instead of build time
Auth: Use a relative Location header in redirects
Auth: Adopt orphan session cookie on first SPA load
Mail: Per-account push subscriptions so multi-account notifications work (#298)
Mail: Close attachment preview when clicking outside the content area
Mail: Pin quick reply to the bottom for short emails
Mail: Show "no body content" instead of an infinite skeleton for bodyless emails
Mail: Show contact popup when clicking the sender name in the email header
Mail: Prevent long addresses from overflowing email details columns (#297)
Mobile: Align quick reply with the mobile bottom toolbar
Mobile: Respect safe-area insets on mobile bottom bars
Mobile: Pad safe-area-inset-top
UI: Apply dark background to the email content wrapper in dark mode
UI: Improve dark mode background colors in the email viewer
UI: Add viewport export with initialScale: 1
UI: Strip the Stalwart master-user % suffix from the displayed account
Plugins: Warn and block install when the app version is below the plugin's minAppVersion
Plugins: Register app-top-banner in plugin-store SLOT_NAMES
Plugins: Carry configSchema + settingsSchema through marketplace install
Build: Add outputFileTracingExcludes to reduce Turbopack memory tracing

i18n

Add missing translation keys across 16 locales

Security Fixes

Mail HTML sandboxed in srcDoc iframe using a CSP <meta> tag (prevents cross‑site scripting)
Admin API response redacts sensitive configuration secrets

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track webmail

Get notified when new releases ship.

About webmail

Webmail built for the 21st Century. A modern, self-hosted email client for Stalwart Mail Server powered by the JMAP protocol. Email, calendar, contacts and files. Fast, private, and open source.

All releases →

Related context

Related tools

Earlier breaking changes

v1.7.0 Server‑managed plugin bundles must be Ed25519‑signed and admin‑approved before loading.
v1.7.0 Bundle hash is now full SHA-256; legacy hashes auto-migrated.
v1.7.0 Server-managed bundles require Ed25519 signature verification.
v1.7.0 Plugins run in sandboxed iframe with postMessage RPC bridge.