roundcube/roundcubemail Security Advisories for 1.7-beta2 (9)
-
[LOW] Roundcube Webmail: Unsafe deserialization in the redis/memcache session handler
PKSA-wjqw-j5qy-sdfr CVE-2026-35537 GHSA-rxj3-rrwm-pj4r
Affected version: >=1.7-beta,<1.7-rc5
Reported by:
GitHub -
[LOW] Roundcube Webmail: Unsanitized IMAP SEARCH command arguments
PKSA-764m-m66v-9t4g CVE-2026-35538 GHSA-8jr8-v43g-5c57
Affected version: >=1.7-beta,<1.7-rc5
Reported by:
GitHub -
[MEDIUM] Roundcube Webmail: Insufficient HTML attachment sanitization in preview mode
PKSA-3z5p-dc2d-4drb CVE-2026-35539 GHSA-x4q5-8j5g-hpjc
Affected version: >=1.7-beta,<1.7-rc5
Reported by:
GitHub -
[MEDIUM] Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages
PKSA-vsf6-6r3q-jc1x CVE-2026-35540 GHSA-vxg2-hhgr-37fx
Affected version: >=1.7-beta,<1.7-rc5
Reported by:
GitHub -
[MEDIUM] Roundcube Webmail: Incorrect password comparison in the password plugin
PKSA-5v34-b81b-ng2h CVE-2026-35541 GHSA-46pv-mj2g-93gh
Affected version: >=1.7-beta,<1.7-rc5
Reported by:
GitHub -
[MEDIUM] Roundcube: Bypass of remote image blocking via crafted BODY background attribute
PKSA-kj9x-s73h-chn8 CVE-2026-35542 GHSA-5hf6-crg4-fg59
Affected version: >=1.7-beta,<1.7-rc5
Reported by:
GitHub -
[MEDIUM] Roundcube Webmail: Bypass of remote image blocking via SVG content (with animate attributes) in an e-mail message
PKSA-qdpg-77hy-3x5t CVE-2026-35543 GHSA-j2g6-8rvg-7mf6
Affected version: >=1.7-beta,<1.7-rc5
Reported by:
GitHub -
[MEDIUM] Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages
PKSA-wvxn-8qzx-v8n9 CVE-2026-35544 GHSA-xpqh-grpw-4xmg
Affected version: >=1.7-beta,<1.7-rc5
Reported by:
GitHub -
[MEDIUM] Roundcube Webmail: Remote image blocking feature can be bypassed via SVG content in an e-mail message
PKSA-hnx5-g7mc-vpff CVE-2026-35545 GHSA-w846-74jr-76cv
Affected version: >=1.7-beta,<1.7-rc5
Reported by:
GitHub