Alerts This Week
Warning Icon 1 535
Alerts This Week
Warning Icon 1 535

Fedora 43 Roundcube Webmail Important XSS SQL Issues 2026-07ee097ffe

fedora
Calendar Grey June 4, 2026
Dist Fedora Esm H88
Critical fixes for Roundcube Webmail in Fedora 43 address multiple security issues including XSS and SQL injection.
Release 1.6.16 Fix potential too long value in IMAP ID command (#10136) Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog Security: Fix CSS i...

Summary

RoundCube Webmail is a browser-based multilingual IMAP client

with an application-like user interface. It provides full

functionality you expect from an e-mail client, including MIME

support, address book, folder manipulation, message searching

and spell checking. RoundCube Webmail is written in PHP and

requires a database: MySQL, PostgreSQL and SQLite are known to

work. The user interface is fully skinnable using XHTML and

CSS 2.

Update Information:

Release 1.6.16 Fix potential too long value in IMAP ID command (#10136) Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog Security: Fix CSS injection bypass in HTML sanitizer via SVG Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass Security: Fix SSRF bypass via specific local address URLs Security: Fix bypass of remote image blocking via CSS var() Security: Fix local/private URL fetch bypass when remote resources were not allowed Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option

Topics%20covered

Topics Covered

security advisory security issue fedora important roundcubemail XSS injection

Change Log

* Mon May 25 2026 Remi Collet - 1.6.16-1 - update to 1.6.16

References


[ 1 ] Bug #2481615 - CVE-2026-48842 roundcubemail: pre-auth SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2481615 [ 2 ] Bug #2481617 - CVE-2026-48844 roundcubemail: code injection via insecure LDAP autovalues option [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2481617 [ 3 ] Bug #2481619 - CVE-2026-48843 roundcubemail: information disclosure and Server-Side Request Forgery via insufficient CSS sanitization [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2481619 [ 4 ] Bug #2481622 - CVE-2026-48845 roundcubemail: privilege escalation via remote image blocking bypass [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2481622 [ 5 ] Bug #2481624 - CVE-2026-48848 roundcubemail: CSS injection via an SVG document that has an animate element with the attributeName attribute [fedora-all] https://bugzilla.redhat....

Read the Full Advisory

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-07ee097ffe' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
important
Lowest
Low
Medium
High
Critical

Name: roundcubemail
Product: Fedora 43
Version: 1.6.16
Release: 1.fc43
URL: http://www.roundcube.net
Summary: Round Cube Webmail is a browser-based multilingual IMAP client

Topics%20covered

Topics Covered

security advisory security issue fedora important roundcubemail XSS injection

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here