Debian Roundcube vulnerabilities

CVE-2026-25916 [MEDIUM] CVE-2026-25916: roundcube - Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images... Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u7) bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u7) forky: resolved (fixed in 1.6.13+dfsg-1) sid: resolved (fixed in 1.6.13+dfsg-1) trixie: resolved (fixed in 1.6.13+dfsg-0+deb13u

CVE-2026-35544 [MEDIUM] CVE-2026-35544: roundcube - An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insuffici... An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u8) bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u8) forky: resolved (fixed

CVE-2026-35540 [MEDIUM] CVE-2026-35540: roundcube - An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient C... An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u8) bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u8) f

CVE-2026-35542 [MEDIUM] CVE-2026-35542: roundcube - An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remot... An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u8) bullseye: resolved (fixed in 1.4.15+df

CVE-2026-35539 [MEDIUM] CVE-2026-35539: roundcube - An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exist... An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u8) bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u8) forky: resolved (fixed in 1.6.14+dfsg-1) sid: re

CVE-2026-26079 [MEDIUM] CVE-2026-26079: roundcube - Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style She... Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u7) bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u7) forky: resolved (fixed in 1.6.13+dfsg-1) sid: resolved (fixed in 1.6.13+dfsg-1) trixie: resolved (fixed in

CVE-2026-35543 [MEDIUM] CVE-2026-35543: roundcube - An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remot... An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u8) bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb1

CVE-2026-35545 [MEDIUM] CVE-2026-35545: roundcube - An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remot... An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u8) bu

CVE-2026-35541 [MEDIUM] CVE-2026-35541: roundcube - An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect... An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u8) bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u8) forky: resolved (fixed in 1.6

CVE-2026-35537 [LOW] CVE-2026-35537: roundcube - An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe de... An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u8) bullseye: resolved forky: resolved (fixed in 1.6.14+dfsg-1) sid: resolve

CVE-2026-35538 [LOW] CVE-2026-35538: roundcube - An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitiz... An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u8) bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u8) forky: resolved (fixed in 1.6.14+dfsg-1) sid: resolved (fixed in 1.6.14+

CVE-2025-49113 [CRITICAL] CVE-2025-49113: roundcube - Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execu... Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u5) bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u5) for

CVE-2025-68461 [HIGH] CVE-2025-68461: roundcube - Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-S... Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u6) bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u6) forky: resolved (fixed in 1.6.12+dfsg-1) sid: resolved (fixed in 1.6.12+dfsg-1) trixie: resolved (f

CVE-2025-68460 [HIGH] CVE-2025-68460: roundcube - Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information ... Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u6) bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u6) forky: resolved (fixed in 1.6.12+dfsg-1) sid: resolved (fixed in 1.6.12+dfsg-1) trixie: resolved (fixed in 1.6.12+

CVE-2024-42008 [CRITICAL] CVE-2024-42008: roundcube - A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcu... A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u3) bullseye: resolved (fixed in 1.4.15+

CVE-2024-42009 [CRITICAL] CVE-2024-42009: roundcube - A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x throug... A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u3) bullseye: resolved (fixed in 1.4

CVE-2024-42010 [HIGH] CVE-2024-42010: roundcube - mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently... mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u3) bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u4) forky: resolved (fixed in

CVE-2024-37384 [MEDIUM] CVE-2024-37384: roundcube - Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list column... Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u2) bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u3) forky: resolved (fixed in 1.6.7+dfsg-1) sid: resolved (fixed in 1.6.7+dfsg-1) trixie: resolved (fixed in 1.6.7+dfsg-1)

CVE-2024-37383 [MEDIUM] CVE-2024-37383: roundcube - Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate... Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes. Scope: local bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u2) bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u3) forky: resolved (fixed in 1.6.7+dfsg-1) sid: resolved (fixed in 1.6.7+dfsg-1) trixie: resolved (fixed in 1.6.7+dfsg-1)

CVE-2024-37385 [CRITICAL] CVE-2024-37385: roundcube - Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command ... Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved