Roundcube 1.7 RC2 released

Published: 15 December 2025

We just published the second release candidate for the next major version 1.7 of Roundcube webmail.

This release fixes two security issues and one syntax error in a database migration file for Postgres databases.

The changes are:

  • Fix Cross-Site-Scripting vulnerability via SVG’s animate tag reported by Valentin T., CrowdStrike.
  • Fix Information Disclosure vulnerability in the HTML style sanitizer reported by somerandomdev.
  • Fix syntax error in DDL scripts for Postgres (#10052)

We believe it is production ready, but we recommend to test it on a separate environment.

Migrate existing configs with either the installto.sh or the update.sh scripts.

And don’t forget to backup your data before installing it!

Return to News overview
Related Posts