This update for roundcubemail fixes the following issues:

Update to 1.6.16

- Fix potential too long value in IMAP ID command (#10136)
- CVE-2026-48849: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog [boo#1266337]
- CVE-2026-48848: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style"> [boo#1266336]
- CVE-2026-48842: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass [boo#1266329]
- CVE-2026-48843: Fix SSRF bypass via specific local address URLs [boo#1266331]
- CVE-2026-48846: Fix bypass of remote image blocking via CSS var() [boo#1266334]
- CVE-2026-48845: Fix local/private URL fetch bypass when remote resources were not allowed [boo#1266333]
- CVE-2026-48847: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass [boo#1266335]
- CVE-2026-48844: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option [boo#1266332]