Roundcube, a PHP-based webmail frontend, released a series of security updates on Feb 8, again with little fanfare. From the release announcement:
* Fix CSS injection vulnerability reported by CERT Polska. * Fix remote image blocking bypass via SVG content reported by nullcathedral. There are fixed in the newly-released versions 1.5.13 and 1.6.13. While not mentioned in the official annoucement, these appear to be CVE-2026-26079 (4.7) and CVE-2026-25916 (4.3) respectively. Full announcement: https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13 -Valtteri
