Roundcube Webmail has released security updates for its 1.6.16 LTS and 1.7.1 stable branches, addressing critical vulnerabilities that could allow attackers to exploit SQL injection, hijack sessions, and execute arbitrary code. Server administrators are advised to back up their systems before applying the patches, ensuring custom configurations are preserved, and to run a built-in migration script afterward. The updates enhance security by tightening the handling of external resources and session data, effectively blocking potential attacks like session poisoning and unauthorized resource access. Admins should monitor server logs post-upgrade to identify any conflicts with existing plugins and minimize disruption during implementation

Roundcube Webmail 1.6.16 LTS and 1.7.1 released

Roundcube Webmail just pushed security patches to both its LTS and stable branches, closing a messy list of flaws that could let attackers inject code or hijack sessions before anyone even logs in. The update specifically targets pre-auth SQL injection, session poisoning bypasses, LDAP code execution risks, and several network and CSS sanitization loopholes that automated scanners love to exploit. Server admins should back up their current files and database, extract the new release over the existing install while preserving custom configs, then run the built-in migration script and clear the cache to avoid interface glitches. Skipping third-party hosting panels during this process keeps custom settings intact and prevents a half-patched setup from breaking mid-week.

Roundcube Webmail 1.6.16 LTS and 1.7.1 released @ Linux Compatible