RoundCube Webmail is a browser-based multilingual IMAP client
with an application-like user interface. It provides full
functionality you expect from an e-mail client, including MIME
support, address book, folder manipulation, message searching
and spell checking. RoundCube Webmail is written in PHP and
requires a database: MySQL, PostgreSQL and SQLite are known to
work. The user interface is fully skinnable using XHTML and
CSS 2.
Update Information:
Release 1.7.1
Enigma: Support automatic public key lookup (import) using HKP v1 protocol
(#5314)
Managesieve: Fix error when a mail message contains duplicate List-Id header
(#10186)
Clarified Elastic installation instructions (#10163)
Added HTMLFormElement.requestSubmit() polyfill for older browsers (#10179)
Fix so "has:attachment" search uses $HasAttachment/$HasNoAttachment keywords
(#10168)
Fix potential too long value in IMAP ID command (#10136)
Fix redis/memcache disconnection in rcube::sleep() (#10127)
Fix so static resources, e.g. skin_logo can be put inside the public_html
directory (#10160)
Fix so REQUEST_URI is used as a fallback if PATH_INFO is not set in static.php
(#10181)
Fix assets_path feature and remove dependency on PATH_INFO (#10185)
Fix MySQL upgrade on MySQL 8.0 and MariaDB 10.5.3 (#10188)
Security: Fix stored XSS/HTML/CSS injection in subject field of the draft
restore dialog
Security: Fix CSS injection bypass in HTML sanitizer via SVG
* Mon May 25 2026 Remi Collet
[ 1 ] Bug #2481615 - CVE-2026-48842 roundcubemail: pre-auth SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481615
[ 2 ] Bug #2481617 - CVE-2026-48844 roundcubemail: code injection via insecure LDAP autovalues option [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481617
[ 3 ] Bug #2481619 - CVE-2026-48843 roundcubemail: information disclosure and Server-Side Request Forgery via insufficient CSS sanitization [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481619
[ 4 ] Bug #2481622 - CVE-2026-48845 roundcubemail: privilege escalation via remote image blocking bypass [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481622
[ 5 ] Bug #2481624 - CVE-2026-48848 roundcubemail: CSS injection via an SVG document that has an animate element with the attributeName attribute [fedora-all]
https://bugzilla.redhat....
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-2b956d89d3' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
Get the latest Linux and open source security news straight to your inbox.