Explore top 10 tips to secure your open-source projects now. Read More
×RoundCube Webmail is a browser-based multilingual IMAP client
with an application-like user interface. It provides full
functionality you expect from an e-mail client, including MIME
support, address book, folder manipulation, message searching
and spell checking. RoundCube Webmail is written in PHP and
requires a database: MySQL, PostgreSQL and SQLite are known to
work. The user interface is fully skinnable using XHTML and
CSS 2.
Update Information:
Release 1.6.17 Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314) Enigma: Kolab WOAT Support (#8626) Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193) Security: Fix various vulnerabilities in the password plugin using session- injected username Security: Fix stored XSS via unescaped attachment MIME type on the attachment- validation warning page [CVE-2026-54432] Security: Fix SSRF bypass via specific local address URLs - two new cases Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433] Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file
* Mon Jul 6 2026 Remi Collet
[ 1 ] Bug #2500063 - CVE-2026-54433 roundcubemail: Roundcube Webmail: Arbitrary code execution via zero-click cross-site scripting [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2500063
[ 2 ] Bug #2500065 - CVE-2026-62642 roundcubemail: Roundcube Webmail: Denial of Service via infinite loop in TNEF decoder [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2500065
[ 3 ] Bug #2500067 - CVE-2026-62644 roundcubemail: Roundcube Webmail: Account takeover via username spoofing in password plugin [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2500067
[ 4 ] Bug #2500068 - CVE-2026-54432 roundcubemail: Roundcube Webmail: Stored Cross-Site Scripting via unescaped attachment MIME type [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2500068
[ 5 ] Bug #2500071 - CVE-2026-62641 roundcubemail: Roundcube Webmail: Denial of Service via crafted TNEF compressed-RTF size [fedora-all]
https://bugzilla.redhat.co...
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-c3351f4ae4' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
Get the latest Linux and open source security news straight to your inbox.