[Pkg-roundcube-maintainers] Bug#1137507: roundcube: Multiple security vulnerabilities

Sun May 24 12:17:42 BST 2026

Forgot the links to the upstream fixes, sorry.  Here they are for the
release-1.6 branch.

On Sun, 24 May 2026 at 13:12:24 +0200, Guilhem Moulin wrote:
> 1. Stored XSS/HTML/CSS injection in subject field of the draft restore
>   dialog.

https://github.com/roundcube/roundcubemail/commit/a21519187873ce962db029b6ff68e47bd7f3fd8a

> 2. CSS injection bypass in HTML sanitizer via SVG <animate
>   attributeName="style">.

https://github.com/roundcube/roundcubemail/commit/58e5263f341e6a418774fb6d2643669a3c4d8a27

> 3. Pre-auth SQL injection in virtuser_query plugin via preg_replace
>   backslash escape bypass.

https://github.com/roundcube/roundcubemail/commit/87124cc7136a48b5fa9d2b40dfead6e9dcaeaf4b

> 4. SSRF bypass via specific local address URLs.

https://github.com/roundcube/roundcubemail/commit/cb3fc9041e91640ba9ba49ee7b2147c176ebf5a1

> 5. Local/private URL fetch bypass when remote resources were not
>   allowed.

https://github.com/roundcube/roundcubemail/commit/7b52353653a67e6073b97d70eb94047132b78556

> 6. Bypass of remote image blocking via CSS var().

https://github.com/roundcube/roundcubemail/commit/852350486b88b35b8544e8a630fad89e99e2150a

> 7. Pre-auth arbitrary file delete via redis/memcache session poisoning
>   bypass.

https://github.com/roundcube/roundcubemail/commit/703318e6a59515b73b0d8aa2a91e346b02f56baa

> 8. Code injection vulnerability via code evaluation support in LDAP
>   autovalues option.  Code evaluation support has now been removed.

https://github.com/roundcube/roundcubemail/commit/ea1798a6fbf060abcc0ba73b2435036bf8016a5a

-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20260524/0899944f/attachment.sig>