Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 585
Alerts This Week
Warning Icon 1 585

Fedora 44 Roundcubemail Critical XSS DoS Fix Advisory 2026-517daa8d64

fedora
Calendar Grey July 15, 2026
Dist Fedora Esm H88
Roundcubemail 1.7.2 for Fedora 44 addresses multiple serious security flaws. Update promptly to secure your systems.
Release 1.7.2 Add HEAD request handler to the static.php Fix so the oauth_password_claim claim is retrieved via token or userinfo request (#9631) Fix bug where static.php would ret...

Summary

RoundCube Webmail is a browser-based multilingual IMAP client

with an application-like user interface. It provides full

functionality you expect from an e-mail client, including MIME

support, address book, folder manipulation, message searching

and spell checking. RoundCube Webmail is written in PHP and

requires a database: MySQL, PostgreSQL and SQLite are known to

work. The user interface is fully skinnable using XHTML and

CSS 2.

Update Information:

Release 1.7.2 Add HEAD request handler to the static.php Fix so the oauth_password_claim claim is retrieved via token or userinfo request (#9631) Fix bug where static.php would return a 416 error on a specific Range request (#10194) Fix bug where configured skin logo wasn't loaded via static.php resulting in 404 error (#10191) Fix bug where installto.sh would fail if public_html folder does not exist in the target directory (#10202) Revert "Prefer 8bit over quoted-printable for HTML parts, when force_7bit is disabled (#8477)" (#10198) Fix incorrect unfolding of folded lines when importing vCard 2.1 contacts (#9647) Fix bug where Imagick could leave large temporary files on failure (#10230) Fix bug where redis/memcache session could have been updated more often than needed Fix support for untyped tokens in OIDC backchannel logout, require unset nonce (#10097) Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193) Security: Fix various vulnerabilitie...

Change Log

* Mon Jul 6 2026 Remi Collet - 1.7.2-1 - update to 1.7.2

References


[ 1 ] Bug #2500063 - CVE-2026-54433 roundcubemail: Roundcube Webmail: Arbitrary code execution via zero-click cross-site scripting [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2500063 [ 2 ] Bug #2500065 - CVE-2026-62642 roundcubemail: Roundcube Webmail: Denial of Service via infinite loop in TNEF decoder [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2500065 [ 3 ] Bug #2500067 - CVE-2026-62644 roundcubemail: Roundcube Webmail: Account takeover via username spoofing in password plugin [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2500067 [ 4 ] Bug #2500068 - CVE-2026-54432 roundcubemail: Roundcube Webmail: Stored Cross-Site Scripting via unescaped attachment MIME type [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2500068 [ 5 ] Bug #2500071 - CVE-2026-62641 roundcubemail: Roundcube Webmail: Denial of Service via crafted TNEF compressed-RTF size [fedora-all] https://bugzilla.redhat.co...

Read the Full Advisory

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-517daa8d64' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
critical
Lowest
Low
Medium
High
Critical

Name: roundcubemail
Product: Fedora 44
Version: 1.7.2
Release: 1.fc44
Summary: Round Cube Webmail is a browser-based multilingual IMAP client

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.