Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN542
_____________________________________________________________________

DATE                : 26/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Roundcube Webmail versions prior
                                     to 1.6.16, 1.7.1.

=====================================================================
https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
_____________________________________________________________________

Security updates 1.6.16 and 1.7.1 released

Published: 24 May 2026

    Tags: releases updates security 

We just published security updates to the 1.6 LTS and 1.7 versions
of Roundcube Webmail. They both contain fixes for recently reported
security vulnerabilities.
Security fixes

    Fix stored XSS/HTML/CSS injection in subject field of the draft
restore dialog, reported by zazy

    Fix CSS injection bypass in HTML sanitizer via SVG <animate
attributeName="style">, reported by wooseokdotkim

    Fix pre-auth SQL injection in virtuser_query plugin via
preg_replace backslash escape bypass, reported by skull

    Fix SSRF bypass via specific local address URLs

    Fix local/private URL fetch bypass when remote resources were
not allowed, reported by Orange Cyberdefense


Vulnerability Disclosure Team
    Fix bypass of remote image blocking via CSS var(), reported
by Geame
    Fix pre-auth arbitrary file delete via redis/memcache session
poisoning bypass, reported by valent1
    Fix code injection vulnerability - remove support for code
evaluation in LDAP autovalues option, reported by Glendaenri

See the full changelogs in the release notes on the Github
download pages for the updated versions 1.6.16 and 1.7.1.

We strongly recommend to update all productive installations
of Roundcube 1.6.x and 1.7.x with this new versions.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================