Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 585
Alerts This Week
Warning Icon 1 585

Fedora 43 Roundcube 1.6.17 Security Fixes for XSS and DoS Issues

fedora
Calendar Grey July 15, 2026
Dist Fedora Esm H88
This advisory covers critical security fixes for Roundcube Webmail on Fedora 43 addressing various vulnerabilities.
Release 1.6.17 Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314) Enigma: Kolab WOAT Support (#8626) Security: Fix an infinite loop in TNEF (winmail...

Summary

RoundCube Webmail is a browser-based multilingual IMAP client

with an application-like user interface. It provides full

functionality you expect from an e-mail client, including MIME

support, address book, folder manipulation, message searching

and spell checking. RoundCube Webmail is written in PHP and

requires a database: MySQL, PostgreSQL and SQLite are known to

work. The user interface is fully skinnable using XHTML and

CSS 2.

Update Information:

Release 1.6.17 Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314) Enigma: Kolab WOAT Support (#8626) Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193) Security: Fix various vulnerabilities in the password plugin using session- injected username Security: Fix stored XSS via unescaped attachment MIME type on the attachment- validation warning page [CVE-2026-54432] Security: Fix SSRF bypass via specific local address URLs - two new cases Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433] Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file

Change Log

* Mon Jul 6 2026 Remi Collet - 1.6.17-1 - update to 1.6.17

References


[ 1 ] Bug #2500063 - CVE-2026-54433 roundcubemail: Roundcube Webmail: Arbitrary code execution via zero-click cross-site scripting [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2500063 [ 2 ] Bug #2500065 - CVE-2026-62642 roundcubemail: Roundcube Webmail: Denial of Service via infinite loop in TNEF decoder [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2500065 [ 3 ] Bug #2500067 - CVE-2026-62644 roundcubemail: Roundcube Webmail: Account takeover via username spoofing in password plugin [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2500067 [ 4 ] Bug #2500068 - CVE-2026-54432 roundcubemail: Roundcube Webmail: Stored Cross-Site Scripting via unescaped attachment MIME type [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2500068 [ 5 ] Bug #2500071 - CVE-2026-62641 roundcubemail: Roundcube Webmail: Denial of Service via crafted TNEF compressed-RTF size [fedora-all] https://bugzilla.redhat.co...

Read the Full Advisory

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-c3351f4ae4' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
important
Lowest
Low
Medium
High
Critical

Name: roundcubemail
Product: Fedora 43
Version: 1.6.17
Release: 1.fc43
Summary: Round Cube Webmail is a browser-based multilingual IMAP client

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.