Fedora 44 Roundcube Webmail Important SVG Exploit Advisory 2026-6d293b6889
fedora
April 25, 2026
Version 1.7-rc6 This is hopefully the last release candidate for the next major version 1.7 of Roundcube Webmail
Summary
RoundCube Webmail is a browser-based multilingual IMAP client
with an application-like user interface. It provides full
functionality you expect from an e-mail client, including MIME
support, address book, folder manipulation, message searching
and spell checking. RoundCube Webmail is written in PHP and
requires a database: MySQL, PostgreSQL and SQLite are known to
work. The user interface is fully skinnable using XHTML and
CSS 2.
Update Information:
Version 1.7-rc6 This is hopefully the last release candidate for the next major version 1.7 of Roundcube Webmail. It provides a fix to recently reported security vulnerability: SVG Animate FUNCIRI Attribute Bypass \u2014 Remote Image Loading via fill/filter/stroke, reported by class_nzm. We believe it is production ready, but we recommend to test it on a separate environment. Migrate existing configs with either the installto.sh or the update.sh scripts. And don't forget to backup your data before installing it! CHANGELOG Added support for arrays in smtp_user and smtp_pass config options (#10083) Added system health checker CLI script (#10106) Stricter recognition of an Ajax request (#10118) Password: Added Stalwart driver (#10114) Fix regression where some data url images could get ignored/lost (#10128) Fix SVG Animate FUNCIRI Attribute Bypass \u2014 Remote Image Loading via fill/filter/stroke
Topics Covered
Change Log
* Mon Mar 30 2026 Remi Collet
References
[ 1 ] Bug #2454784 - CVE-2026-35543 roundcubemail: Roundcube Webmail: Information disclosure and access-control bypass via animated SVG in email [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2454784
[ 2 ] Bug #2454786 - CVE-2026-35545 roundcubemail: Roundcube Webmail: Information disclosure and access-control bypass via SVG content in email. [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2454786
[ 3 ] Bug #2454793 - CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2454793
Update Instructions
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-6d293b6889' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Name: roundcubemail
Product: Fedora 44
Version: 1.7~rc6
Release: 1.fc44
Summary: Round Cube Webmail is a browser-based multilingual IMAP client
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!