openSUSE RoundcubeMail Important Pre-auth Injection Update 2026-20852-1

This update for roundcubemail fixes the following issues:

Changes in roundcubemail:

- update to 1.6.16

+ Fix potential too long value in IMAP ID command (#10136)

+ Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog [CVE-2026-48849] [bsc#1266337]

+ Security: Fix CSS injection bypass in HTML sanitizer via SVG 'animate attributeName="style"' [CVE-2026-48848] [bsc#1266336]

+ Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass [CVE-2026-48842] [bsc#1266329]

+ Security: Fix SSRF bypass via specific local address URLs [CVE-2026-48843] [bsc#1266331]

+ Security: Fix bypass of remote image blocking via CSS var() [CVE-2026-48846] [bsc#1266334]

+ Security: Fix local/private URL fetch bypass when remote resources were not allowed [CVE-2026-48845] [bsc#1266333]

+ Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass [CVE-2026-48847] [bsc#1266335]

+...