OPENSUSE-SU-2026:20323-1
Vulnerability from csaf_opensuse - Published: 2026-03-05 18:31 - Updated: 2026-03-05 18:31Summary
Security update for roundcubemail
Severity
Important
Notes
Title of the patch: Security update for roundcubemail
Description of the patch: This update for roundcubemail fixes the following issues:
Changes to roundcubemail:
Update to 1.6.13:
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
+ Fix CSS injection vulnerability reported by CERT Polska (boo#1258052,
CVE-2026-26079).
+ Fix remote image blocking bypass via SVG content reported by nullcathedral
(boo#1257909, CVE-2026-25916).
This version is considered stable and we recommend to update all productive
installations of Roundcube 1.6.x with it. Please do backup your data
before updating!
CHANGELOG
+ Managesieve: Fix handling of string-list format values for date
tests in Out of Office (#10075)
+ Fix CSS injection vulnerability reported by CERT Polska.
+ Fix remote image blocking bypass via SVG content reported by nullcathedral.
Update to 1.6.12:
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
+ Fix Cross-Site-Scripting vulnerability via SVG's animate tag
reported by Valentin T., CrowdStrike (boo#1255308, CVE-2025-68461).
+ Fix Information Disclosure vulnerability in the HTML style
sanitizer reported by somerandomdev (boo#1255306, CVE-2025-68460).
This version is considered stable and we recommend to update all
productive installations of Roundcube 1.6.x with it.
+ Support IPv6 in database DSN (#9937)
+ Don't force specific error_reporting setting
+ Fix compatibility with PHP 8.5 regarding array_first()
+ Remove X-XSS-Protection example from .htaccess file (#9875)
+ Fix "Assign to group" action state after creation of a first group (#9889)
+ Fix bug where contacts search would fail if contactlist_fields contained vcard fields (#9850)
+ Fix bug where an mbox export file could include inconsistent message delimiters (#9879)
+ Fix parsing of inline styles that aren't well-formatted (#9948)
+ Fix Cross-Site-Scripting vulnerability via SVG's animate tag
+ Fix Information Disclosure vulnerability in the HTML style sanitizer
Update to 1.6.11
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
* Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v.
- CHANGELOG
* Managesieve: Fix match-type selector (remove unsupported options) in delete header action (#9610)
* Improve installer to fix confusion about disabling SMTP authentication (#9801)
* Fix PHP warning in index.php (#9813)
* OAuth: Fix/improve token refresh
* Fix dark mode bug where wrong colors were used for blockquotes in HTML mail preview (#9820)
* Fix HTML message preview if it contains floating tables (#9804)
* Fix removing/expiring redis/memcache records when using a key prefix
* Fix bug where a wrong SPECIAL-USE folder could have been detected, if there were more than one per-type (#9781)
* Fix a default value and documentation of password_ldap_encodage option (#9658)
* Remove mobile/floating Create button from the list in Settings > Folders (#9661)
* Fix Delete and Empty buttons state while creating a folder (#9047)
* Fix connecting to LDAP using ldapi:// URI (#8990)
* Fix cursor position on "below the quote" reply in HTML mode (#8700)
* Fix bug where attachments with content type of application/vnd.ms-tnef were not parsed (#7119)
Update to 1.6.10:
This is the next service release to update the stable version 1.6.
* IMAP: Partial support for ANNOTATE-EXPERIMENT-1 extension (RFC 5257)
* OAuth: Support standard authentication with short-living password received with OIDC token (#9530)
* Fix PHP warnings (#9616, #9611)
* Fix whitespace handling in vCard line continuation (#9637)
* Fix current script state after initial scripts creation in managesieve_kolab_master mode
* Fix rcube_imap::get_vendor() result (and PHP warning) on Zimbra server (#9650)
* Fix regression causing inline SVG images to be missing in mail preview (#9644)
* Fix plugin "virtuser_file" to handle backward slashes in username (#9668)
* Fix PHP fatal error when parsing some malformed BODYSTRUCTURE responses (#9689)
* Fix insert_or_update() and reading database server config on PostgreSQL (#9710)
* Fix Oauth issues with use_secure_urls=true (#9722)
* Fix handling of binary mail parts (e.g. PDF) encoded with quoted-printable (#9728)
* Fix links in comments and config to https:// where available (#9759, #9756)
* Fix decoding of attachment names encoded using both RFC2231 and RFC2047 standards (#9725)
Patchnames: openSUSE-Leap-16.0-packagehub-151
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
6.1 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
4.7 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for roundcubemail",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for roundcubemail fixes the following issues:\n\nChanges to roundcubemail:\n\nUpdate to 1.6.13:\n\n This is a security update to the stable version 1.6 of Roundcube Webmail.\n It provides fixes to recently reported security vulnerabilities:\n + Fix CSS injection vulnerability reported by CERT Polska (boo#1258052,\n CVE-2026-26079).\n + Fix remote image blocking bypass via SVG content reported by nullcathedral\n (boo#1257909, CVE-2026-25916).\n\n This version is considered stable and we recommend to update all productive\n installations of Roundcube 1.6.x with it. Please do backup your data\n before updating!\n\n CHANGELOG\n + Managesieve: Fix handling of string-list format values for date\n tests in Out of Office (#10075)\n + Fix CSS injection vulnerability reported by CERT Polska.\n + Fix remote image blocking bypass via SVG content reported by nullcathedral.\n\nUpdate to 1.6.12:\n\n This is a security update to the stable version 1.6 of Roundcube Webmail.\n It provides fixes to recently reported security vulnerabilities:\n\n + Fix Cross-Site-Scripting vulnerability via SVG\u0027s animate tag\n reported by Valentin T., CrowdStrike (boo#1255308, CVE-2025-68461).\n + Fix Information Disclosure vulnerability in the HTML style\n sanitizer reported by somerandomdev (boo#1255306, CVE-2025-68460).\n\n This version is considered stable and we recommend to update all\n productive installations of Roundcube 1.6.x with it.\n\n + Support IPv6 in database DSN (#9937)\n + Don\u0027t force specific error_reporting setting\n + Fix compatibility with PHP 8.5 regarding array_first()\n + Remove X-XSS-Protection example from .htaccess file (#9875)\n + Fix \"Assign to group\" action state after creation of a first group (#9889)\n + Fix bug where contacts search would fail if contactlist_fields contained vcard fields (#9850)\n + Fix bug where an mbox export file could include inconsistent message delimiters (#9879)\n + Fix parsing of inline styles that aren\u0027t well-formatted (#9948)\n + Fix Cross-Site-Scripting vulnerability via SVG\u0027s animate tag\n + Fix Information Disclosure vulnerability in the HTML style sanitizer\n\nUpdate to 1.6.11\n\n This is a security update to the stable version 1.6 of Roundcube Webmail.\n It provides fixes to recently reported security vulnerabilities:\n * Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v.\n\n- CHANGELOG\n * Managesieve: Fix match-type selector (remove unsupported options) in delete header action (#9610)\n * Improve installer to fix confusion about disabling SMTP authentication (#9801)\n * Fix PHP warning in index.php (#9813)\n * OAuth: Fix/improve token refresh\n * Fix dark mode bug where wrong colors were used for blockquotes in HTML mail preview (#9820)\n * Fix HTML message preview if it contains floating tables (#9804)\n * Fix removing/expiring redis/memcache records when using a key prefix\n * Fix bug where a wrong SPECIAL-USE folder could have been detected, if there were more than one per-type (#9781)\n * Fix a default value and documentation of password_ldap_encodage option (#9658)\n * Remove mobile/floating Create button from the list in Settings \u003e Folders (#9661)\n * Fix Delete and Empty buttons state while creating a folder (#9047)\n * Fix connecting to LDAP using ldapi:// URI (#8990)\n * Fix cursor position on \"below the quote\" reply in HTML mode (#8700)\n * Fix bug where attachments with content type of application/vnd.ms-tnef were not parsed (#7119)\n\nUpdate to 1.6.10:\n\n This is the next service release to update the stable version 1.6.\n * IMAP: Partial support for ANNOTATE-EXPERIMENT-1 extension (RFC 5257)\n * OAuth: Support standard authentication with short-living password received with OIDC token (#9530)\n * Fix PHP warnings (#9616, #9611)\n * Fix whitespace handling in vCard line continuation (#9637)\n * Fix current script state after initial scripts creation in managesieve_kolab_master mode\n * Fix rcube_imap::get_vendor() result (and PHP warning) on Zimbra server (#9650)\n * Fix regression causing inline SVG images to be missing in mail preview (#9644)\n * Fix plugin \"virtuser_file\" to handle backward slashes in username (#9668)\n * Fix PHP fatal error when parsing some malformed BODYSTRUCTURE responses (#9689)\n * Fix insert_or_update() and reading database server config on PostgreSQL (#9710)\n * Fix Oauth issues with use_secure_urls=true (#9722)\n * Fix handling of binary mail parts (e.g. PDF) encoded with quoted-printable (#9728)\n * Fix links in comments and config to https:// where available (#9759, #9756)\n * Fix decoding of attachment names encoded using both RFC2231 and RFC2047 standards (#9725)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-packagehub-151",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20323-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1255306",
"url": "https://bugzilla.suse.com/1255306"
},
{
"category": "self",
"summary": "SUSE Bug 1255308",
"url": "https://bugzilla.suse.com/1255308"
},
{
"category": "self",
"summary": "SUSE Bug 1257909",
"url": "https://bugzilla.suse.com/1257909"
},
{
"category": "self",
"summary": "SUSE Bug 1258052",
"url": "https://bugzilla.suse.com/1258052"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-68460 page",
"url": "https://www.suse.com/security/cve/CVE-2025-68460/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-68461 page",
"url": "https://www.suse.com/security/cve/CVE-2025-68461/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25916 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25916/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-26079 page",
"url": "https://www.suse.com/security/cve/CVE-2026-26079/"
}
],
"title": "Security update for roundcubemail",
"tracking": {
"current_release_date": "2026-03-05T18:31:03Z",
"generator": {
"date": "2026-03-05T18:31:03Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20323-1",
"initial_release_date": "2026-03-05T18:31:03Z",
"revision_history": [
{
"date": "2026-03-05T18:31:03Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "roundcubemail-1.6.13-bp160.1.1.noarch",
"product": {
"name": "roundcubemail-1.6.13-bp160.1.1.noarch",
"product_id": "roundcubemail-1.6.13-bp160.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "roundcubemail-1.6.13-bp160.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:roundcubemail-1.6.13-bp160.1.1.noarch"
},
"product_reference": "roundcubemail-1.6.13-bp160.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-68460",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-68460"
}
],
"notes": [
{
"category": "general",
"text": "Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:roundcubemail-1.6.13-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-68460",
"url": "https://www.suse.com/security/cve/CVE-2025-68460"
},
{
"category": "external",
"summary": "SUSE Bug 1255306 for CVE-2025-68460",
"url": "https://bugzilla.suse.com/1255306"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:roundcubemail-1.6.13-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:roundcubemail-1.6.13-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-05T18:31:03Z",
"details": "important"
}
],
"title": "CVE-2025-68460"
},
{
"cve": "CVE-2025-68461",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-68461"
}
],
"notes": [
{
"category": "general",
"text": "Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:roundcubemail-1.6.13-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-68461",
"url": "https://www.suse.com/security/cve/CVE-2025-68461"
},
{
"category": "external",
"summary": "SUSE Bug 1255308 for CVE-2025-68461",
"url": "https://bugzilla.suse.com/1255308"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:roundcubemail-1.6.13-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:roundcubemail-1.6.13-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-05T18:31:03Z",
"details": "important"
}
],
"title": "CVE-2025-68461"
},
{
"cve": "CVE-2026-25916",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25916"
}
],
"notes": [
{
"category": "general",
"text": "Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when \"Block remote images\" is used, does not block SVG feImage.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:roundcubemail-1.6.13-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25916",
"url": "https://www.suse.com/security/cve/CVE-2026-25916"
},
{
"category": "external",
"summary": "SUSE Bug 1257909 for CVE-2026-25916",
"url": "https://bugzilla.suse.com/1257909"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:roundcubemail-1.6.13-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-05T18:31:03Z",
"details": "moderate"
}
],
"title": "CVE-2026-25916"
},
{
"cve": "CVE-2026-26079",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-26079"
}
],
"notes": [
{
"category": "general",
"text": "Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:roundcubemail-1.6.13-bp160.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-26079",
"url": "https://www.suse.com/security/cve/CVE-2026-26079"
},
{
"category": "external",
"summary": "SUSE Bug 1258052 for CVE-2026-26079",
"url": "https://bugzilla.suse.com/1258052"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:roundcubemail-1.6.13-bp160.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:roundcubemail-1.6.13-bp160.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-05T18:31:03Z",
"details": "moderate"
}
],
"title": "CVE-2026-26079"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…