Roundcube Webmail has released new versions 1.5.14, 1.6.14, and 1.7 RC5 to address critical vulnerabilities that could compromise user accounts and mail servers, including flaws that allow password changes without old credentials. Administrators are urged to update their installations immediately to protect against known exploits and to back up data before applying changes. The updates fix issues such as IMAP injection, CSRF bypasses, and XSS bugs in HTML previews that could enable malicious scripts. Version 1.7 RC5 is not yet recommended for production use, while versions 1.5.14 and 1.6.14 are considered secure for deployment

Roundcube Webmail 1.5.14, 1.6.14, and 1.7 RC5 released

Roundcube Webmail has released new versions to patch several critical vulnerabilities that could compromise user accounts and mail servers. Administrators should update production installations immediately because flaws exist that allow attackers to change passwords without knowing the old credentials. The fixes also address dangerous issues like IMAP injection and XSS bugs in HTML previews that might let scripts run inside the client interface. Backing up data before applying these changes remains a necessary precaution since skipping them leaves the system exposed to known exploits.

Roundcube Webmail 1.5.14, 1.6.14, and 1.7 RC5 released @ Linux Compatible