Roundcube Webmail has released new versions for its 1.6 and 1.5 series, specifically version 1.6.12 and 1.5.12, which focus on addressing several security vulnerabilities in older versions of the software. The critical fixes include preventing Cross-Site-Scripting (XSS) issues triggered by certain SVG elements and vulnerabilities in HTML formatting that could lead to attacks or information disclosure. Users running Roundcube 1.6.x or earlier are advised to upgrade to version 1.6.12 immediately, while those using the older LTS version can update to 1.5.12 if necessary. The updates also bring smaller benefits such as IPv6 support for database settings and improved contact search functionality.

Roundcube Webmail 1.6.12 and 1.5.12 released

Roundcube Webmail, the popular web-based email client, has quietly released new versions for its 1.6 and 1.5 series, specifically, version 1.6.12 for the standard releases and 1.5.12 for what used to be called the Long Term Support (LTS) branch.

• 
• 
• 

The main reason these updates exist is security. They tackle several important vulnerabilities in older versions of Roundcube. The most critical fixes involve preventing two types of problems: one is a Cross-Site-Scripting (XSS) issue triggered by certain SVG elements, specifically within an animate tag, something identified initially by Valentin T. from CrowdStrike and later confirmed across both branches. Also patched are vulnerabilities in the system that sanitizes HTML formatting to prevent attacks, including another XSS possibility via SVG and a separate information disclosure flaw uncovered by a community user known as somerandomdev.

If you're running Roundcube 1.6.x or earlier, it's wise to upgrade to version 1.6.12 right away. Make sure to backup your data before proceeding, as you always should. This latest release also brings along some smaller benefits beyond the security fixes. For example, there is now IPv6 support for database settings (DSNs), which might help some users.

Digging into other improvements found in 1.6.12: a setting that forced error reporting has been removed, making things cleaner; compatibility with PHP 8.5 resolves potential issues for those on newer stacks; and contact search works better now by properly handling vCard fields within the contactlist_fields configuration.

The 1.5.12 update offers similar relief if you're still using that older LTS version (though switching to 1.6 is obviously preferred). It specifically addresses the same core security problems, again, the SVG XSS and HTML sanitizer issues.

So, the advice remains: upgrade when convenient for you. If possible, jump straight to 1.6.12. But if sticking with 1.5 is necessary, applying this specific patch will help secure your installation against these reported flaws. Remember that data backup goes without saying before any major update.

Release Roundcube Webmail 1.6.12

This is a security update to the stable version 1.6 of Roundcube Webmail.

Release Roundcube Webmail 1.6.12 · roundcube/roundcubemail

Release Roundcube Webmail 1.5.12

This is a security update to the LTS version 1.5 of Roundcube Webmail.

Release Roundcube Webmail 1.5.12 · roundcube/roundcubemail