We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They both contain fixes for recently reported two security vulnerabilities.
Security fixes- Fix CSS injection vulnerability reported by CERT Polska.
- Fix remote image blocking bypass via SVG content reported by nullcathedral.
See the full changelogs in the release notes on the Github download pages for the updated versions 1.6.13 (https://github.com/roundcube/roundcubemail/releases/tag/1.6.13) and 1.5.13 (https://github.com/roundcube/roundcubemail/releases/tag/1.5.13).
We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions.
Source: https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13
Get it Now: https://roundcube.net/download