Security updates 1.2.8 and 1.1.11 released

Published: 17 April 2018

Following the recent security update for 1.3, here now come the promised updates for the LTS versions 1.2 and 1.1. They both fix the recently reported vulnerability allowing IMAP command injection via a GET parameters. More details about this are published under CVE-2018-9846.

Another fix included in these updates is about a missed remote content blocking on HTML messages with specially crafted image and style tags.

See the full changelog in the release notes on the according Github download pages:

We strongly recommend to update all productive installations of Roundcube 1.2.x and 1.1.x respectively. Please do backup your data before updating!


An unintended regression was added with the fix for the IMAP command injection vulnerability which has also been fixed now. We therefore recommend to update to versions 1.2.9 and 1.1.11 right away.

Return to News overview