[Pkg-roundcube-maintainers] Bug#1141495: roundcube: Multiple security vulnerabilities
Guilhem Moulin
guilhem at debian.org
Sun Jul 5 16:04:05 BST 2026
Source: roundcube
Version: 1.6.16+dfsg-1
Control: found -1 1.6.16+dfsg-0+deb13u1
Control: found -1 1.6.5+dfsg-1+deb12u9
Control: found -1 1.4.15+dfsg.1-1+deb11u9
Severity: important
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
Roundcube webmail upstream has recently released 1.6.17 [0] which fixes
the following security vulnerabilities:
1. Infinite loop in TNEF (winmail.dat) decoder
https://github.com/roundcube/roundcubemail/commit/a007321346380136b3de2bd75b486b04f63c0d38
https://github.com/roundcube/roundcubemail/commit/132ac8dd5a55c8466be12de1daf84355697ffa89
2. Various vulnerabilities in the password plugin using
session-injected username
https://github.com/roundcube/roundcubemail/commit/83150ce04d689a70f92d511bcae40adba8d55476
https://github.com/roundcube/roundcubemail/commit/5cdc6a48b40beabff7f0bf5d9035f4491e877e4c
3. CVE-2026-54432: Stored XSS via unescaped attachment MIME type on
the attachment-validation warning page
https://github.com/roundcube/roundcubemail/commit/a3a4482cc9bd5569107e4393d32abb157cb2a568
4. SSRF bypass via specific local address URLs
https://github.com/roundcube/roundcubemail/commit/294c7da6e7284166f040cef8607b677d459e0786
5. CVE-2026-54433: Zero-click stored XSS in plain-text rendering
https://github.com/roundcube/roundcubemail/commit/63e42e233c6e8b5100e2e61a4d13addcd1a45bd5
6. DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file
https://github.com/roundcube/roundcubemail/commit/bf253c72d4293c93fda511b8464fe9cb34b522c1
AFAIK no CVE-ID have been published for issues 1, 2, 4 and 6. I'll
request some tomorrow unless someone beats me to it.
--
Guilhem.
[0] https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20260705/cb708831/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list