FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Roundcube -- Multiple vulnerabilities

Affected packages
roundcube < 1.6.14,1

Details

VuXML ID c5b93cb5-2363-11f1-81da-8447094a420f
Discovery 2026-03-18
Entry 2026-03-19

The Roundcube project reports:

pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler

password could get changed without providing the old password

IMAP Injection + CSRF bypass in mail search

remote image blocking bypass via various SVG animate attributes

remote image blocking bypass via a crafted body background attribute

fixed position mitigation bypass via use of !important

XSS issue in a HTML attachment preview

SSRF + Information Disclosure via stylesheet links to a local network hosts

[source]

References

URL https://github.com/roundcube/roundcubemail/releases/tag/1.6.14

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.