Description:
This update for roundcubemail fixes the following issues:
- update to 1.6.13
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
+ Fix CSS injection vulnerability reported by CERT Polska (boo#1258052,
CVE-2026-26079).
+ Fix remote image blocking bypass via SVG content reported by nullcathedral
(boo#1257909, CVE-2026-25916).
This version is considered stable and we recommend to update all productive
installations of Roundcube 1.6.x with it. Please do backup your data
before updating!
CHANGELOG
+ Managesieve: Fix handling of string-list format values for date
tests in Out of Office (#10075)
+ Fix CSS injection vulnerability reported by CERT Polska.
+ Fix remote image blocking bypass via SVG content reported by nullcathedral.
- update to 1.6.12
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
+ Fix Cross-Site-Scripting vulnerability via SVG's animate tag
reported by Valentin T., CrowdStrike (boo#1255308, CVE-2025-68461).
+ Fix Information Disclosure vulnerability in the HTML style
sanitizer reported by somerandomdev (boo#1255306, CVE-2025-68460).
This version is considered stable and we recommend to update all
productive installations of Roundcube 1.6.x with it.
+ Support IPv6 in database DSN (#9937)
+ Don't force specific error_reporting setting
+ Fix compatibility with PHP 8.5 regarding array_first()
+ Remove X-XSS-Protection example from .htaccess file (#9875)
+ Fix "Assign to group" action state after creation of a first group (#9889)
+ Fix bug where contacts search would fail if contactlist_fields contained vcard fields (#9850)
+ Fix bug where an mbox export file could include inconsistent message delimiters (#9879)
+ Fix parsing of inline styles that aren't well-formatted (#9948)
+ Fix Cross-Site-Scripting vulnerability via SVG's animate tag
+ Fix Information Disclosure vulnerability in the HTML style sanitizer