Alerts This Week
Warning Icon 1 535
Alerts This Week
Warning Icon 1 535

Fedora 43 Roundcube Webmail Update 1.6.15 Advisory on SVG Bypass

fedora
Calendar Grey April 9, 2026
Dist Fedora Esm H88
Stay secure by updating to Roundcube Webmail 1.6.15 with fixes for SVG vulnerabilities. Protect your email data now.
Version 1.6.15 This is a security update to the stable version 1.6 of Roundcube Webmail

Summary

RoundCube Webmail is a browser-based multilingual IMAP client

with an application-like user interface. It provides full

functionality you expect from an e-mail client, including MIME

support, address book, folder manipulation, message searching

and spell checking. RoundCube Webmail is written in PHP and

requires a database: MySQL, PostgreSQL and SQLite are known to

work. The user interface is fully skinnable using XHTML and

CSS 2.

Update Information:

Version 1.6.15 This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability: SVG Animate FUNCIRI Attribute Bypass \u2014 Remote Image Loading via fill/filter/stroke, reported by class_nzm. This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating! CHANGELOG Fix regression where mail search would fail on non-ascii search criteria (#10121) Fix regression where some data url images could get ignored/lost (#10128) Fix SVG Animate FUNCIRI Attribute Bypass \u2014 Remote Image Loading via fill/filter/stroke

Topics%20covered

Topics Covered

security advisory fedora remote access webmail information disclosure svg bypass

Change Log

* Mon Mar 30 2026 Remi Collet - 1.6.15-1 - update to 1.6.15

References


[ 1 ] Bug #2454784 - CVE-2026-35543 roundcubemail: Roundcube Webmail: Information disclosure and access-control bypass via animated SVG in email [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2454784 [ 2 ] Bug #2454786 - CVE-2026-35545 roundcubemail: Roundcube Webmail: Information disclosure and access-control bypass via SVG content in email. [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2454786 [ 3 ] Bug #2454793 - CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2454793

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-8ba1a085a9' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
important
Lowest
Low
Medium
High
Critical

Name: roundcubemail
Product: Fedora 43
Version: 1.6.15
Release: 1.fc43
URL: https://roundcube.net/
Summary: Round Cube Webmail is a browser-based multilingual IMAP client

Topics%20covered

Topics Covered

security advisory fedora remote access webmail information disclosure svg bypass

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here