Roundcube Webmail Project News

Security updates 1.7-rc6, 1.6.15 and 1.5.15 released

2026-03-29T00:00:00+00:00

We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail, as well as a release candidate for coming 1.7. They contain fixes for recently reported set of security vulnerabilities.

Security fixes

SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.

See the full changelogs in the release notes on the Github download pages for the updated versions

We strongly recommend to update your productive installations of Roundcube with this new versions.

Security updates 1.7-rc5, 1.6.14 and 1.5.14 released

2026-03-18T00:00:00+00:00

Security fixes

Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler, reported by y0us.
Fix bug where a password could get changed without providing the old password, reported by flydragon777.
Fix IMAP Injection + CSRF bypass in mail search, reported by Martila Security Research Team.
Fix remote image blocking bypass via various SVG animate attributes, reported by nullcathedral.
Fix remote image blocking bypass via a crafted body background attribute, reported by nullcathedral.
Fix fixed position mitigation bypass via use of !important, reported by nullcathedral.
Fix XSS issue in a HTML attachment preview, reported by aikido_security.
Fix SSRF + Information Disclosure via stylesheet links to a local network hosts, reported by Georgios Tsimpidas (aka Frey), Security Researcher at https://i0.rs/.

See the full changelogs in the release notes on the Github download pages for the updated versions

We strongly recommend to update your productive installations of Roundcube with this new versions.

Roundcube 1.7 RC4 released

2026-02-13T00:00:00+00:00

We just published the fourth release candidate for the next major version 1.7 of Roundcube webmail.

This release fixes two minor issues, it’s mostly published to fix a file permission problem in the previous release v1.7-rc3.

The changes are:

Ensure correct file permissions when building a release.
Installer: Fix broken link to download the created configuration file (#10092)

The tarballs can be downloaded from roundcube.net/download.

Or directly from the release page at github.com.

We believe it is production ready, but we recommend to test it on a separate environment.

Migrate existing configs with either the installto.sh or the update.sh scripts.

And don’t forget to backup your data before installing it!

Roundcube 1.7 RC3 released

2026-02-09T00:00:00+00:00

We just published the third release candidate for the next major version 1.7 of Roundcube webmail.

This release fixes two security issues, and contains a few more fixes for several issues.

The security fixes are:

Fix CSS injection vulnerability reported by CERT Polska.
Fix remote image blocking bypass via SVG content reported by nullcathedral.

For the full changelog please see the release page.

The tarballs can be downloaded via roundcube.net.

Or directly from the release page at github.com.

We believe it is production ready, but we recommend to test it on a separate environment.

Migrate existing configs with either the installto.sh or the update.sh scripts.

And don’t forget to backup your data before installing it!

Security updates 1.6.13 and 1.5.13 released

2026-02-08T00:00:00+00:00

We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They both contain fixes for recently reported two security vulnerabilities.

Security fixes

Fix CSS injection vulnerability reported by CERT Polska.
Fix remote image blocking bypass via SVG content reported by nullcathedral.

See the full changelogs in the release notes on the Github download pages for the updated versions 1.6.13 and 1.5.13.

We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions.

Roundcube 1.7 RC2 released

2025-12-15T00:00:00+00:00

We just published the second release candidate for the next major version 1.7 of Roundcube webmail.

This release fixes two security issues and one syntax error in a database migration file for Postgres databases.

The changes are:

Fix Cross-Site-Scripting vulnerability via SVG’s animate tag reported by Valentin T., CrowdStrike.
Fix Information Disclosure vulnerability in the HTML style sanitizer reported by somerandomdev.
Fix syntax error in DDL scripts for Postgres (#10052)

We believe it is production ready, but we recommend to test it on a separate environment.

Migrate existing configs with either the installto.sh or the update.sh scripts.

And don’t forget to backup your data before installing it!

Security updates 1.6.12 and 1.5.12 released

2025-12-13T00:00:00+00:00

We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They both contain fixes for recently reported two security vulnerabilities.

Security fixes

Fix Cross-Site-Scripting vulnerability via SVG’s animate tag reported by Valentin T., CrowdStrike.
Fix Information Disclosure vulnerability in the HTML style sanitizer reported by somerandomdev.

See the full changelogs in the release notes on the Github download pages for the updated versions 1.6.12 and 1.5.12.

We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions.

Roundcube 1.7 RC released

2025-12-10T00:00:00+00:00

The development team is pleased to announce the release candidate for the next major version 1.7 of Roundcube webmail!

With this milestone we introduce a few breaking changes (see below) and some further improvements in comparison to 1.7-beta2.

Some noteworthy changes are:

Add scope parameter to contact search (#9863)
Add ability to chose from all available contact fields on CSV import (#9419)
Add a new plugin called markdown_editor that provides an alternative editor to compose emails using Markdown syntax.
Add rel=’noopener’ to all links opening in a new window to mitigate against misuse in older browsers.

Breaking Changes

Remove contact_search_name option in favor of contactlist_name_template (#9832)
Replace session attribute changed by expires_at (to allow for variable session lengths per-user in a future change).
Password: Removed the (insecure) virtualmin driver (#8007)

For full details and download links please read the release notes.

We believe it is production ready, but we recommend to test it on a separate environment.

Migrate existing configs with either the installto.sh or the update.sh scripts.

And don’t forget to backup your data before installing it!

Roundcube 1.7 beta2 released

2025-10-01T00:00:00+00:00

The development team is pleased to announce the second beta release for the next major version 1.7 of Roundcube webmail.

With this milestone we introduce some more fixes, and bring full support for the early version of PHP 8.5.

It does not include breaking changes (beyond those of 1.7-beta).

Some noteworthy changes are:

Support PHP v8.5(-pre) without deprecation warnings.
Support IPv6 in database DSN (#9937)
Use htmleditor setting also for identity signature (#9954)
Fix regression in handling of non-unicode characters in a plain text message (#9953)
Fix parsing of inline styles that aren’t well-formatted (#9948)
Support early MIME types for S/MIME encrypted messages (#9973)
Only apply fix_path for href attrib in s (#9943)
Show homograph-warning-icon before email address, unify warning wording (#9945)
Show full details with warning icon in case of phishing suspicion (#9945)
Prepend group-names to display-name (#9945) Thanks to coco_melon for the reporting!
Wash the name attribute also on more elements (#9949) – Thanks to pwn.ai by Octagon Networks for the reporting!
Sanitize filename on download (#9960)
Drop Internet Explorer from supported browsers (#9963)
Enforce leading backslash for non-namespaced non-Roundcube uses (#9935)
Use asset_url() instead of get_skin_file() for deleteicon on contact edit form (#9933)
Several changes to the test tooling.

For full details please see the release notes.

This is a beta release and we recommend to test it on a separate environment. Migrate existing configs with either the installto.sh or the update.sh scripts.

And don’t forget to backup your data before installing it!

Roundcube 1.7 beta released

2025-07-14T00:00:00+00:00

The development team is pleased to announce the beta release for the next major version 1.7 of Roundcube webmail.

With this milestone we introduce a few breaking changes, some new features, and bring full support for PHP 8.4.

Some noteworthy changes are:

Make public_html/ mandatory as entry-point for HTTP daemons, protecting all installations better.
Improve support for OAuth2 (e.g. supporting OpenID Connect discovery URLs).
A Mouse-over menu on the messages list with quick action icons.
Advanced mail search syntax with more possibilities – you can now use e.g. is:unread to only match unread messages. The test file has a list of implemented keywords.
Message parts of content-type text/markdown are now rendered to HTML (if they are designated for showing).
Add a ‘php’ logging driver, which passes all log statements to PHP’s error_log handler, allowing to unify all log output.
Requires PHP v8.1 or newer.

Breaking Changes

Dropped support for PHP < 8.1.
Removed support for MS SQL Server and Oracle.
Make public_html/ entry-point mandatory, all static resources are served via static.php.
Removed apc cache driver (replaced by apcu cache driver).
Change smtp_log option default value to false.

For full details please see the release notes.

This is a beta release and we recommend to test it on a separate environment. Migrate existing configs with either the installto.sh or the update.sh scripts.

And don’t forget to backup your data before installing it!