Skip to content

Roundcube Webmail 1.6.17

Choose a tag to compare

@alecpl alecpl released this 05 Jul 11:07
1.6.17

This is a security update to the LTS version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

  • Fix an infinite loop in TNEF (winmail.dat) decoder (#10193), reported by stafra.
  • Fix various vulnerabilities in the password plugin using session-injected username, reported by Glendaenri and peppersghost.
  • Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432], reported by Bohdan Kurinnoy, Samsung R&D Instit
  • Fix SSRF bypass via specific local address URLs - two new cases, reported by Leenear.
  • Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433], reported by Bohdan Kurinnoy, Samsung R&D Institute Ukraine (SRUKR).
  • Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file, reported by h0rk1p.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

  • Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314)
  • Enigma: Kolab WOAT Support (#8626)
  • Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193)
  • Security: Fix various vulnerabilities in the password plugin using session-injected username
  • Security: Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432]
  • Security: Fix SSRF bypass via specific local address URLs - two new cases
  • Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433]
  • Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file