Hi, Roundcube just published an update that appears to contain an important security fix: https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
"Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v." Even though it says "Post-Auth", impact is likely high, as for a webmailer, it is a very common scenario that many people are potentially authenticated. (And it may just be another XSS away from non-authenticated RCE.) -- Hanno Böck - Independent security researcher https://itsec.hboeck.de/ https://badkeys.info/
