Alerts This Week
Warning Icon 1 840
Alerts This Week
Warning Icon 1 840

openSUSE Roundcubemail Important XSS SQL Injection Fix Advisory 2026-0183-1

opensuse
Calendar Grey June 11, 2026
Dist Opensuse Esm H88
OpenSUSE delivers security updates addressing 8 vulnerabilities in RoundcubeMail ensuring protection against critical risks.
An update that fixes 8 vulnerabilities is now available.

Description

This update for roundcubemail fixes the following issues:

Update to 1.6.16

- Fix potential too long value in IMAP ID command (#10136)

- CVE-2026-48849: Fix stored XSS/HTML/CSS injection in subject field of

the draft restore dialog [boo#1266337]

- CVE-2026-48848: Fix CSS injection bypass in HTML sanitizer via SVG

[boo#1266336]

- CVE-2026-48842: Fix pre-auth SQL injection in virtuser_query plugin via

preg_replace backslash escape bypass [boo#1266329]

- CVE-2026-48843: Fix SSRF bypass via specific local address URLs

[boo#1266331]

- CVE-2026-48846: Fix bypass of remote image blocking via CSS var()

[boo#1266334]

- CVE-2026-48845: Fix local/private URL fetch bypass when remote resources

were not allowed [boo#1266333]

- CVE-2026-48847: Fix pre-auth arbitrary file delete via redis/memcache

session poisoning bypass [boo#1266335]

- CVE-2026-48844: Fix code injection vulnerability - remove support for

code evaluation in...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory SQL Injection XSS important OpenSUSE roundcubemail

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP7:

zypper in -t patch openSUSE-2026-183=1

- openSUSE Backports SLE-15-SP6:

zypper in -t patch openSUSE-2026-183=1

Package List

- openSUSE Backports SLE-15-SP7 (noarch):

roundcubemail-1.6.16-bp157.2.12.1

- openSUSE Backports SLE-15-SP6 (noarch):

roundcubemail-1.6.16-bp156.2.18.1

References

https://www.suse.com/security/cve/CVE-2026-48842.html

https://www.suse.com/security/cve/CVE-2026-48843.html

https://www.suse.com/security/cve/CVE-2026-48844.html

https://www.suse.com/security/cve/CVE-2026-48845.html

https://www.suse.com/security/cve/CVE-2026-48846.html

https://www.suse.com/security/cve/CVE-2026-48847.html

https://www.suse.com/security/cve/CVE-2026-48848.html

https://www.suse.com/security/cve/CVE-2026-48849.html

https://bugzilla.suse.com/1266329

https://bugzilla.suse.com/1266331

https://bugzilla.suse.com/1266332

https://bugzilla.suse.com/1266333

https://bugzilla.suse.com/1266334

https://bugzilla.suse.com/1266335

https://bugzilla.suse.com/1266336

https://bugzilla.suse.com/1266337

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2026:0183-1
Rating: important
Affected Products: openSUSE Backports SLE-15-SP6 openSUSE Backports SLE-15-SP7

Topics%20covered

Topics Covered

security advisory SQL Injection XSS important OpenSUSE roundcubemail

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here