Explore top 10 tips to secure your open-source projects now. Read More
×RoundCube Webmail is a browser-based multilingual IMAP client
with an application-like user interface. It provides full
functionality you expect from an e-mail client, including MIME
support, address book, folder manipulation, message searching
and spell checking. RoundCube Webmail is written in PHP and
requires a database: MySQL, PostgreSQL and SQLite are known to
work. The user interface is fully skinnable using XHTML and
CSS 2.
Update Information:
Release 1.7.2 Add HEAD request handler to the static.php Fix so the oauth_password_claim claim is retrieved via token or userinfo request (#9631) Fix bug where static.php would return a 416 error on a specific Range request (#10194) Fix bug where configured skin logo wasn't loaded via static.php resulting in 404 error (#10191) Fix bug where installto.sh would fail if public_html folder does not exist in the target directory (#10202) Revert "Prefer 8bit over quoted-printable for HTML parts, when force_7bit is disabled (#8477)" (#10198) Fix incorrect unfolding of folded lines when importing vCard 2.1 contacts (#9647) Fix bug where Imagick could leave large temporary files on failure (#10230) Fix bug where redis/memcache session could have been updated more often than needed Fix support for untyped tokens in OIDC backchannel logout, require unset nonce (#10097) Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193) Security: Fix various vulnerabilitie...
* Mon Jul 6 2026 Remi Collet
[ 1 ] Bug #2500063 - CVE-2026-54433 roundcubemail: Roundcube Webmail: Arbitrary code execution via zero-click cross-site scripting [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2500063
[ 2 ] Bug #2500065 - CVE-2026-62642 roundcubemail: Roundcube Webmail: Denial of Service via infinite loop in TNEF decoder [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2500065
[ 3 ] Bug #2500067 - CVE-2026-62644 roundcubemail: Roundcube Webmail: Account takeover via username spoofing in password plugin [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2500067
[ 4 ] Bug #2500068 - CVE-2026-54432 roundcubemail: Roundcube Webmail: Stored Cross-Site Scripting via unescaped attachment MIME type [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2500068
[ 5 ] Bug #2500071 - CVE-2026-62641 roundcubemail: Roundcube Webmail: Denial of Service via crafted TNEF compressed-RTF size [fedora-all]
https://bugzilla.redhat.co...
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-517daa8d64' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
Get the latest Linux and open source security news straight to your inbox.