We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail, as well as a release candidate for coming 1.7. They contain fixes for recently reported set of security vulnerabilities.

Security fixes

• SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.

See the full changelogs in the release notes on the Github download pages for the updated versions

• 1.7-rc6
• 1.6.15
• 1.5.15

We strongly recommend to update your productive installations of Roundcube with this new versions.

Source: https://roundcube.net/news/2026/03/29/security-updates-1.7-rc6-1.6.15-1.5.15
Get it Now: https://roundcube.net/download

Quote from: SKaero on March 27, 2026, 01:02:57 AMI don't see is a way to switch to light / default mode in case there is a message that needs to be view in the original form.

You are right, I just use the "sun" icon in the left side panel.

But I understand that it is a good thing to have a toggle in the message panel itself, like in Thunderbird where I myself use the toggle once in awhile. It would also be good to have when viewing a message in a new window.

That is something I can look at.

Thanks for your answer. I was able to fix it by reinstalling the package and, maybe the more importand point, by recreating the database.

Micha

The plugin looks good. One thing I don't see is a way to switch to light / default mode in case there is a message that needs to be view in the original form.

I wrote a plug-in for RoundCubeMail 1.7 that patches dark-mode to work in the message viewer and the message editor.

I hope someone can use it as well as myself.

rpc-scandinavia/rpc_rcm_patches: Packagist page

/etc/roundcube/debian-db.php is not the default location for the Roundcube config, and because the error has "(using password: NO)" indicates that it likely not reading the config file at all assuming that there is a database password.

My guess is that was a change made in the package from your distro and its no longer checking the custom config location.

Moin,

roundcube has been working flawlessly on my computer for many years. I hadn't used it for a while now because I was using MUA on my laptop. In the meantime, there were a few updates on my server, including the upgrade from Debian 12 to 13.

Now Roundcube isn't working anymore. Error in /var/log/roundcube/errors.log:

Quote[26-Mar-2026 13:26:55 +0000]: <43a93627> DB Error: SQLSTATE[HY000] [1045] Access denied for user 'roundcube'@'localhost' (using password: NO) in /usr/share/roundcube/program/lib/Roundcube/rcube_db.php on line 202 (GET /roundcube/?_task=mail&_mbox=INBOX)

The settings in /etc/roundcube/debian-db.php are correct, however, the file has not been edited since 2022.

Installed:

root@boulder ~ # dpkg --list | grep roundcube
ii roundcube-core 1.6.13+dfsg-0+deb13u1 all skinnable AJAX based webmail solution for IMAP servers
ii roundcube-mysql 1.6.13+dfsg-0+deb13u1 all metapackage providing MySQL dependencies for RoundCube
ii roundcube-skin-classic 1.6.0+ds-3 all skinnable AJAX based webmail solution for IMAP servers - classic theme
ii roundcube-skin-larry 1.6.1+ds-3 all skinnable AJAX based webmail solution for IMAP servers - Larry theme

Any hint?

Quote from: alec on March 24, 2026, 02:41:44 AMhttps://github.com/roundcube/roundcubemail/issues/10121

O, many thanks!

This patch actually fixed the problem. I pointed AI to this link; It didn't know the solution until now.

The indication that the problem was in versions 1.6.12 and 1.6.13 is my mistake. The problem only appeared in 1.6.14, as far as I understand.

G'day for all!

After upgrading roundcube to 1.6.12 (1.6.13, 1.6.14, too) we can't do serching in folders in Russian (non ASCII symbols).

QuoteServer error: UID THREAD: Error in IMAP command UID THREAD: Missing LF after literal size (0.001 + 0.000 secs).

Search is only possible in English (ASCII). Where error from?