github roundcube/roundcubemail 1.7.2
Roundcube Webmail 1.7.2

latest release: 1.6.17
3 hours ago

This is a security update to the version 1.7 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

  • Fix an infinite loop in TNEF (winmail.dat) decoder (#10193), reported by stafra.
  • Fix various vulnerabilities in the password plugin using session-injected username, reported by Glendaenri and peppersghost.
  • Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432], reported by Bohdan Kurinnoy, Samsung R&D Instit
  • Fix SSRF bypass via specific local address URLs - two new cases, reported by Leenear.
  • Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433], reported by Bohdan Kurinnoy, Samsung R&D Institute Ukraine (SRUKR).
  • Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file, reported by h0rk1p.

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

  • Add HEAD request handler to the static.php
  • Fix so the oauth_password_claim claim is retrieved via token or userinfo request (#9631)
  • Fix bug where static.php would return a 416 error on a specific Range request (#10194)
  • Fix bug where configured skin logo wasn't loaded via static.php resulting in 404 error (#10191)
  • Fix bug where installto.sh would fail if public_html folder does not exist in the target directory (#10202)
  • Revert "Prefer 8bit over quoted-printable for HTML parts, when force_7bit is disabled (#8477)" (#10198)
  • Fix incorrect unfolding of folded lines when importing vCard 2.1 contacts (#9647)
  • Fix bug where Imagick could leave large temporary files on failure (#10230)
  • Fix bug where redis/memcache session could have been updated more often than needed
  • Fix support for untyped tokens in OIDC backchannel logout, require unset nonce (#10097)
  • Security: Fix an infinite loop in TNEF (winmail.dat) decoder (#10193)
  • Security: Fix various vulnerabilities in the password plugin using session-injected username
  • Security: Fix stored XSS via unescaped attachment MIME type on the attachment-validation warning page [CVE-2026-54432]
  • Security: Fix SSRF bypass via specific local address URLs - two new cases
  • Security: Fix zero-click stored XSS in plain-text rendering [CVE-2026-54433]
  • Security: Fix DoS via crafted compressed-RTF size in the TNEF (winmail.dat) file

Don't miss a new roundcubemail release

NewReleases is sending notifications on new releases.