Roundcube Webmail 1.6.13 (and the 1.5.13 LTS) patches a CSS injection flaw and an SVG‑based remote image bypass that have been weaponized in recent phishing bursts. Ignoring these bugs can expose session cookies or let hidden trackers load when users preview messages, a scenario many admins have already witnessed after a rogue plugin update.
Update Roundcube Webmail to 1.6.13 now – patch CSS injection and SVG image bypass
Roundcube Webmail 1.6.13 has landed with fixes for two serious security flaws that have been floating around the community for a few weeks. This article explains what those bugs actually do, why ignoring them is risky, and walks through a safe upgrade path for production servers.
Why the fix matters
The first issue is a CSS injection vulnerability reported by CERT Polska. By injecting malicious style rules into email bodies an attacker could trick a user’s browser into revealing session cookies or other sensitive data when the message is opened. The second flaw lets a crafted SVG file bypass Roundcube’s remote‑image blocking, effectively turning an “image‑only” phishing mail into a stealthy tracker. In real‑world deployments admins have seen spam campaigns exploit the SVG bypass to load external beacons the moment a user clicks the preview pane. Both bugs are easy to trigger and hard to detect without proper logging.
Back up before you touch anything
Roundcube stores configuration in a PHP file and user data in a database, so a simple dump is usually enough.
- Export the MySQL/MariaDB (or PostgreSQL/SQLite) database with mysqldump -u root -p roundcube > roundcube.sql. This creates a point‑in‑time snapshot you can roll back to if something goes sideways.
- Copy the entire installation directory, e.g., cp -a /var/www/roundcube /var/www/roundcube.bak. Keeping the old files handy makes it trivial to revert Apache/Nginx configs that might have been tweaked.
Backing up isn’t just a formality; a mis‑step during the upgrade can leave the webmail interface inaccessible, and you’ll thank yourself when you need to restore quickly.
Step‑by‑step upgrade process
Download the release – Grab the tarball from the official site:
wget https://github.com/roundcube/roundcubemail/releases/download/1.6.13/roundcubemail-1.6.13.tar.gz
Pulling directly from the source guarantees you get the signed package that contains the patched code.Extract into a temporary folder – tar -xzf roundcubemail-1.6.13.tar.gz -C /tmp.
Replace core files – Move the new program/ and skins/ directories over the old ones:
cp -a /tmp/roundcubemail/program/* /var/www/roundcube/program/
cp -a /tmp/roundcubemail/skins/* /var/www/roundcube/skins/Only core files are swapped; custom plugins and config stay untouched.
Run the upgrade script – From the installation root execute php bin/update.sh. The script checks the database schema and applies any needed migrations.
Clear caches – Delete the contents of temp/cache/ and temp/sessions/ so stale data doesn’t cause odd UI glitches.
Test the login page – Open a browser, log in with a regular account, and verify that messages load correctly and remote images are still blocked by default.
If any step throws an error, revert to the backup made earlier and double‑check file permissions (web server must be able to read/write temp/).
Release Roundcube Webmail 1.6.13
This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to recently reported security vulnerabilities
What about the 1.5.13 LTS release?
Roundcube also pushed a 1.5.13 LTS version that carries the same patches. For sites locked into the older long‑term branch, upgrading to 1.5.13 is the equivalent of jumping onto the 1.6.13 train – you get the security fixes without adopting newer UI changes. The upgrade steps are identical; just replace the download URL with the 1.5.13 tarball.
Release Roundcube Webmail 1.5.13
This is a security update to the LTS version 1.5 of Roundcube Webmail. It provides fixes to recently reported security vulnerabilities.
That’s it. Apply the patch now, keep backups handy, and let your users enjoy a cleaner, safer inbox.
