We just published a service and security update to the stable version 1.4 of Roundcube Webmail. It provides a fix for a recently reported stored XSS vulnerability as well a some general improvements from our issue tracker.
Security fix
Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
Credits for this finding go to Mateusz Szymaniec (CERT Polska).
See the full changelog in the release notes (https://github.com/roundcube/roundcubemail/releases/tag/1.4.11) on the Github download page.
This release is considered stable and we recommend to update all productive installations of Roundcube with this version. Download it from roundcube.net (http://roundcube.net).
Please do backup your data before updating!
Source: https://roundcube.net/news/2021/02/08/security-update-1.4.11
Get it Now: https://roundcube.net/download