Forgot the links to the upstream fixes, sorry. Here they are for the release-1.6 branch.
On Sun, 24 May 2026 at 13:12:24 +0200, Guilhem Moulin wrote: > 1. Stored XSS/HTML/CSS injection in subject field of the draft restore > dialog. https://github.com/roundcube/roundcubemail/commit/a21519187873ce962db029b6ff68e47bd7f3fd8a > 2. CSS injection bypass in HTML sanitizer via SVG <animate > attributeName="style">. https://github.com/roundcube/roundcubemail/commit/58e5263f341e6a418774fb6d2643669a3c4d8a27 > 3. Pre-auth SQL injection in virtuser_query plugin via preg_replace > backslash escape bypass. https://github.com/roundcube/roundcubemail/commit/87124cc7136a48b5fa9d2b40dfead6e9dcaeaf4b > 4. SSRF bypass via specific local address URLs. https://github.com/roundcube/roundcubemail/commit/cb3fc9041e91640ba9ba49ee7b2147c176ebf5a1 > 5. Local/private URL fetch bypass when remote resources were not > allowed. https://github.com/roundcube/roundcubemail/commit/7b52353653a67e6073b97d70eb94047132b78556 > 6. Bypass of remote image blocking via CSS var(). https://github.com/roundcube/roundcubemail/commit/852350486b88b35b8544e8a630fad89e99e2150a > 7. Pre-auth arbitrary file delete via redis/memcache session poisoning > bypass. https://github.com/roundcube/roundcubemail/commit/703318e6a59515b73b0d8aa2a91e346b02f56baa > 8. Code injection vulnerability via code evaluation support in LDAP > autovalues option. Code evaluation support has now been removed. https://github.com/roundcube/roundcubemail/commit/ea1798a6fbf060abcc0ba73b2435036bf8016a5a -- Guilhem.
signature.asc
Description: PGP signature
