This is a security update to the stable version 1.2. It primarily fixes a recently discovered file disclosure vulnerability caused by insufficient input validation in conjunction with file-based attachment plugins, which are used by default. More details will be published under
We strongly recommend to update all productive installations of Roundcube 1.2.x.
Please do backup your data before updating!
- Fix rewind(): stream does not support seeking (#5950)
- Fix bug where HTML messages could have been rendered empty on some systems (#5957)
- Fix (again) bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
- Managesieve: Fix parsing dot-staffed lines in multiline text (#5838, #5959)
- Fix file disclosure vulnerability caused by insufficient input validation (#6026)