Alerts This Week
Warning Icon 1 560
Alerts This Week
Warning Icon 1 560

Fedora 42 Roundcube 1.6.15 Important SVG Bypass Security 2026-051825ca18

fedora
Calendar Grey April 9, 2026
Dist Fedora Esm H88
Roundcube Webmail update fixes SVG bypass issues and ensures security in Fedora 42. Stay secure with the latest updates!
Version 1.6.15 This is a security update to the stable version 1.6 of Roundcube Webmail

Summary

RoundCube Webmail is a browser-based multilingual IMAP client

with an application-like user interface. It provides full

functionality you expect from an e-mail client, including MIME

support, address book, folder manipulation, message searching

and spell checking. RoundCube Webmail is written in PHP and

requires a database: MySQL, PostgreSQL and SQLite are known to

work. The user interface is fully skinnable using XHTML and

CSS 2.

Update Information:

Version 1.6.15 This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability: SVG Animate FUNCIRI Attribute Bypass \u2014 Remote Image Loading via fill/filter/stroke, reported by class_nzm. This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating! CHANGELOG Fix regression where mail search would fail on non-ascii search criteria (#10121) Fix regression where some data url images could get ignored/lost (#10128) Fix SVG Animate FUNCIRI Attribute Bypass \u2014 Remote Image Loading via fill/filter/stroke

Topics%20covered

Topics Covered

security advisory fedora important information disclosure remote loading svg bypass

Change Log

* Mon Mar 30 2026 Remi Collet - 1.6.15-1 - update to 1.6.15

References


[ 1 ] Bug #2454784 - CVE-2026-35543 roundcubemail: Roundcube Webmail: Information disclosure and access-control bypass via animated SVG in email [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2454784 [ 2 ] Bug #2454786 - CVE-2026-35545 roundcubemail: Roundcube Webmail: Information disclosure and access-control bypass via SVG content in email. [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2454786 [ 3 ] Bug #2454793 - CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2454793

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-051825ca18' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
important
Lowest
Low
Medium
High
Critical

Name: roundcubemail
Product: Fedora 42
Version: 1.6.15
Release: 1.fc42
URL: https://roundcube.net/
Summary: Round Cube Webmail is a browser-based multilingual IMAP client

Topics%20covered

Topics Covered

security advisory fedora important information disclosure remote loading svg bypass

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here