Roundcube 1.7.2 and 1.6.17 Out Now: Critical Security Patches for Zero-Click XSS and SSRF Flaws
Roundcube has released versions 1.7.2 and 1.6.17, delivering critical security patches for the widely deployed self-hosted webmail client. The update resolves multiple high-severity vulnerabilities, including a zero-click stored XSS flaw, an SSRF bypass, and several password plugin misconfigurations involving session-injected usernames. Findings from independent researchers and Samsung R&D highlight the increasingly active threat landscape surrounding the PHP-based IMAP bridge, prompting the team to recommend an immediate production rollout. Administrators are advised to back up their data and follow the official upgrade guide to mitigate risks before the next targeted exploit window closes.
Roundcube 1.7.2 and 1.6.17 Out Now: Critical Security Patches for Zero-Click XSS and SSRF Flaws
Roundcube has released critical updates, versions 1.7.2 and 1.6.17, to address several high-severity vulnerabilities including a zero-click stored XSS flaw and SSRF bypasses. The updates are urged for immediate rollout due to the active threat landscape and findings from independent researchers and Samsung R&D. Administrators are advised to back up their data and follow the official upgrade guide to mitigate risks before further exploits occur. Additionally, the release includes maintenance improvements and ensures compatibility for users on the 1.6.17 LTS branch
