We just published the third release candidate for the next major version 1.7 of Roundcube webmail.
This release fixes two security issues, and contains a few more fixes for several issues.
The security fixes are:
- Fix CSS injection vulnerability reported by CERT Polska.
- Fix remote image blocking bypass via SVG content reported by nullcathedral.
For the full changelog please see the release page (https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc3).
The tarballs can be downloaded via roundcube.net (https://roundcube.net/download/).
Or directly from the release page at github.com (https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc3).
We believe it is production ready, but we recommend to test it on a separate environment.
Migrate existing configs with either the
installto.sh or the
update.sh scripts.
And don't forget to backup your data before installing it!
Source: https://roundcube.net/news/2026/02/09/roundcube-1.7-rc3-released
Get it Now: https://roundcube.net/download