Roundcube 1.7.2 / 1.6.17 CVE

Erulezz

Verified User
Joined
Sep 14, 2015
Messages
720
Location
🇳🇱

Security updates 1.6.17 and 1.7.2 released​

Published: 05 July 2026

We just published security updates to the 1.6 LTS and 1.7 versions of Roundcube Webmail. They both contain fixes for recently reported security vulnerabilities.

Security fixes​

  • Fix an infinite loop in TNEF (winmail.dat) decoder (#10193), reported by stafra.
  • Fix various vulnerabilities in the password plugin using session-injected username, reported by Glendaenri and peppersghost.
  • Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432], reported by Bohdan Kurinnoy, Samsung R&D Institute Ukraine (SRUKR).
  • Fix SSRF bypass via specific local address URLs - two new cases, reported by Leenear.
  • Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433], reported by Bohdan Kurinnoy, Samsung R&D Institute Ukraine (SRUKR).
  • Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file, reported by h0rk1p.
See the full changelogs in the release notes on the Github download pages for the updated versions1.6.17 and 1.7.2.

We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.7.x with this new versions.
 
@fln - This update fixes critical vulnerabilities that allow for data and session exfiltration simply by viewing a message.

I believe the new CustomBuild update distribution model has introduced a critical delay, as updates are now only released alongside DirectAdmin version updates. Could you please re-evaluate this? A delay of days or weeks for a security update leaves systems exposed. This Roundcube update, for example, was released five days ago, but DA hasn't made it available yet.
 
@fln - This update fixes critical vulnerabilities that allow for data and session exfiltration simply by viewing a message.

I believe the new CustomBuild update distribution model has introduced a critical delay, as updates are now only released alongside DirectAdmin version updates. Could you please re-evaluate this? A delay of days or weeks for a security update leaves systems exposed. This Roundcube update, for example, was released five days ago, but DA hasn't made it available yet.
RoundCube 1.7.2 is already present in DA version 1.706. At this time, if you want to use it with 1.704 or 1.705, you can do this:
Code:
echo "roundcubemail:1.7.2:" >>/usr/local/directadmin/custombuild/custom_versions.txt
da build roundcube
 
Thanks for the information, Romans. However, version 1.706 is not yet the current DA version.

In other words, in practice, a critical Roundcube security update was released 5 days ago, but the current version of DA that includes it has not yet been released.

In the past, individual software updates via Custombuild were released independently of DA version updates, so they were faster. Is it not possible to go back to that approach? Security vulnerabilities are being discovered and exploited increasingly quickly with the help of AI.
 
Back
Top