We just published the second release candidate for the next major version 1.7 of Roundcube webmail.
This release fixes two security issues and one syntax error in a database migration file for Postgres databases.
The changes are:
- Fix Cross-Site-Scripting vulnerability via SVG's animate tag reported by Valentin T., CrowdStrike.
- Fix Information Disclosure vulnerability in the HTML style sanitizer reported by somerandomdev.
- Fix syntax error in DDL scripts for Postgres (#10052)
We believe it is production ready, but we recommend to test it on a separate environment.
Migrate existing configs with either the
installto.sh (#post_) or the
update.sh (#post_) scripts.
And don't forget to backup your data before installing it!
Source: https://roundcube.net/news/2025/12/15/roundcube-1.7-rc2-released
Get it Now: https://roundcube.net/download