Roundcube Webmail has released versions 1.6.13 and 1.5.13 LTS to address two significant security vulnerabilities: a CSS injection flaw and an SVG-based remote image bypass that have been exploited in recent phishing attacks. These vulnerabilities could potentially expose session cookies and allow hidden trackers to load when users preview messages. Users are advised to back up their data before upgrading and follow a detailed upgrade process to ensure a smooth transition. The 1.5.13 LTS version provides the same security fixes for those who prefer the older long-term branch without adopting newer UI changes
Roundcube 1.16.13 and 1.5.13 released
Roundcube Webmail 1.6.13 (and the 1.5.13 LTS) patches a CSS injection flaw and an SVG‑based remote image bypass that have been weaponized in recent phishing bursts. Ignoring these bugs can expose session cookies or let hidden trackers load when users preview messages, a scenario many admins have already witnessed after a rogue plugin update.
