Stay Secure with the Latest Linux Advisories

security advisoryimportantOpenSUSE

openSUSE Roundcube Major Remote Asset Display Weakness 2026-0141-2

An update that solves one vulnerability and has one errata is now available.. openSUSE Security Update: Security update for roundcubemail ______________________________________________________________________________ Announcement ID: openSUSE-SU-2026:0141-1 Rating: important References: #1261157 #1261488 Cross-References: CVE-2026-35537 Affected Products: openSUSE Backports SLE-15-SP7 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for roundcubemail fixes the following issues: - update to 1.6.15 This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability: SVG Animate FUNCIRI Attribute Bypass \u2014 Remote Image Loading via fill/filter/stroke, reported by class_nzm. This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating! + Fix regression where mail search would fail on non-ascii search criteria (#10121) + Fix regression where some data url images could get ignored/lost (#10128) + Fix SVG Animate FUNCIRI Attribute Bypass \u2014 Remote Image Loading via fill/filter/stroke (boo#1261157) - update to 1.6.14 This is a security update to the stable version 1.6 of Roundcube Webmail. + Fix Postgres connection using IPv6 address (#10104) + Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler (boo#1261488, CVE-2026-35537) + Security: Fix bug where a password could get changed without providing the old password + Security: Fix IMAP Injection + CSRF bypass in mail search + Security: Fix remote image blocking bypass viavarious SVG animate attributes + Security: Fix remote image blocking bypass via a crafted body background attribute + Security: Fix fixed position mitigation bypass via use of !important + Security: Fix XSS issue in a HTML attachment preview + Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP7: zypper in -t patch openSUSE-2026-141=1 Package List: - openSUSE Backports SLE-15-SP7 (noarch): roundcubemail-1.6.15-bp157.2.9.1 References: https://www.suse.com/security/cve/CVE-2026-35537.html https://bugzilla.suse.com/1261157 https://bugzilla.suse.com/1261488 . Update for openSUSE fixes important issues in Roundcube including security bypasses and errata updates.. openSUSE roundcube security patch vulnerabilities. . Severity: Important. LinuxSecurity.com Team

Apr 20, 2026 •Important OpenSUSE