[Pkg-roundcube-maintainers] Bug#1127447: roundcube: CSS injection vulnerability and remote image blocking bypass
Guilhem Moulin
guilhem at debian.org
Sun Feb 8 22:41:28 GMT 2026
Source: roundcube
Version: 1.6.12+dfsg-1
Severity: important
Control: found -1 1.6.12+dfsg-0+deb13u1
Control: found -1 1.6.5+dfsg-1+deb12u6
Control: found -1 1.4.15+dfsg.1-1+deb11u6
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
Roundcube webmail upstream has recently released 1.6.13 [0] which fixes
the following vulnerabilities:
* CSS injection vulnerability reported by CERT Polska.
https://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816
https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447 (regression)
https://github.com/roundcube/roundcubemail/commit/53d75d5dfebef235a344d476b900c20c12d52b01 (regression)
* Remote image blocking bypass via SVG content reported by nullcathedral.
https://github.com/roundcube/roundcubemail/commit/036e851b683333205813f70acda2dc047b4891c8
AFAICT no CVE-ID have been published for these issues. I just requested
some.
--
Guilhem.
[0] https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20260208/1b30948b/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list