Roundcube Webmail has released critical updates for versions 1.5 through 1.7 to address a significant SVG exploit that allows remote image loading through malicious attributes. The updates introduce new features for administrators, including support for arrays in SMTP configuration and a CLI script for system health checks, enhancing server management capabilities. Additionally, the update resolves issues with inline images and tightens Ajax request rules to prevent false security alerts during legitimate operations. It is crucial for those managing public-facing email clients to apply these updates promptly to safeguard against potential attacks and ensure the stability of the application

Roundcube Webmail 1.7 RC6, 1.6.15, and 1.5.15 released

Roundcube Webmail just dropped a critical update across versions 1.5 through 1.7 to patch a nasty SVG exploit that lets attackers load remote images via malicious attributes. Admins finally get some real tools with support for arrays in SMTP config and a CLI script that checks system health without needing to log into the web interface. The release also restores broken data URL images and tightens Ajax request rules so legitimate background tasks stop getting flagged as security threats. Running a public facing client means applying this fix right away because that image loading loophole makes it way too easy for bad actors to pull off targeted attacks.

Roundcube Webmail 1.7 RC6, 1.6.15, and 1.5.15 released @ Linux Compatible