- Package:
- src:roundcube
- Source:
- src:roundcube
- Submitter:
- Guilhem Moulin
- Date:
- 2026-05-28 13:05:05 UTC
- Severity:
- normal
- Tags:
Source: roundcube
Version: 1.6.15+dfsg-1
Control: found -1 1.6.15+dfsg-0+deb13u1
Control: found -1 1.6.5+dfsg-1+deb12u8
Control: found -1 1.4.15+dfsg.1-1+deb11u8
Severity: grave
Justification: user security hole
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
Roundcube webmail upstream has recently released 1.6.16 [0] which fixes
the following security vulnerabilities:
1. Stored XSS/HTML/CSS injection in subject field of the draft restore
dialog.
2. CSS injection bypass in HTML sanitizer via SVG <animate
attributeName="style">.
3. Pre-auth SQL injection in virtuser_query plugin via preg_replace
backslash escape bypass.
4. SSRF bypass via specific local address URLs.
5. Local/private URL fetch bypass when remote resources were not
allowed.
6. Bypass of remote image blocking via CSS var().
7. Pre-auth arbitrary file delete via redis/memcache session poisoning
bypass.
8. Code injection vulnerability via code evaluation support in LDAP
autovalues option. Code evaluation support has now been removed.
AFAIK no CVE-ID have been published for these issues. I'll requested
some later today unless someone beats me to it.
Forgot the links to the upstream fixes, sorry. Here they are for the release-1.6 branch. https://github.com/roundcube/roundcubemail/commit/a21519187873ce962db029b6ff68e47bd7f3fd8a https://github.com/roundcube/roundcubemail/commit/58e5263f341e6a418774fb6d2643669a3c4d8a27 https://github.com/roundcube/roundcubemail/commit/87124cc7136a48b5fa9d2b40dfead6e9dcaeaf4b https://github.com/roundcube/roundcubemail/commit/cb3fc9041e91640ba9ba49ee7b2147c176ebf5a1 https://github.com/roundcube/roundcubemail/commit/7b52353653a67e6073b97d70eb94047132b78556 https://github.com/roundcube/roundcubemail/commit/852350486b88b35b8544e8a630fad89e99e2150a https://github.com/roundcube/roundcubemail/commit/703318e6a59515b73b0d8aa2a91e346b02f56baa https://github.com/roundcube/roundcubemail/commit/ea1798a6fbf060abcc0ba73b2435036bf8016a5a
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1137507@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 25 May 2026 00:30:41 +0200
Source: roundcube
Architecture: source
Version: 1.6.16+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 1137507
Changes:
roundcube (1.6.16+dfsg-1) unstable; urgency=medium
.
* New upstream security and bugfix release (closes: #1137507).
+ Fix stored XSS/HTML/CSS injection in subject field of the draft restore
dialog.
+ Fix CSS injection bypass in HTML sanitizer via SVG <animate
attributeName="style">.
+ Fix pre-auth SQL injection in `virtuser_query plugin` via
`preg_replace()` backslash escape bypass.
+ Fix SSRF bypass via specific local address URLs.
+ Fix local/private URL fetch bypass when remote resources were not
allowed.
+ Fix bypass of remote image blocking via CSS `var()`.
+ Fix pre-auth arbitrary file delete via redis/memcache session poisoning
bypass.
+ Code injection vulnerability via code evaluation support in LDAP
autovalues option. Code evaluation support has been removed.
* Refresh d/patches.
* d/p/Avoid-dependency-on-new-package-mlocati-ip-lib.patch: Add support for
non quad-dotted IPs and non-decimal fields to match the upstream behavior.
* Update Standards-Version to 4.7.4 (no changes necessary).
Checksums-Sha1:
9d7e3296d2acee9157f03a830dc8f31016c8ae34 3845 roundcube_1.6.16+dfsg-1.dsc
1a3cd9678dcb0a130681a4fbe1eca68052d00d5b 126884 roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz
38c2baef9e85c0d497c31715eeba89ba8dd4d8b3 1928780 roundcube_1.6.16+dfsg.orig-tinymce.tar.xz
f18404da6e008cd6b488bcdfde8feee9244b7c93 2793532 roundcube_1.6.16+dfsg.orig.tar.xz
e2115633782fb8a1a0483e8605e4c2665c946539 158648 roundcube_1.6.16+dfsg-1.debian.tar.xz
3072b588f4427d28852d1df4af312b3785547322 6185 roundcube_1.6.16+dfsg-1_source.buildinfo
Checksums-Sha256:
cbb894b82f90ab086b1fb5ea764667bfa83fff6f86b0a822e9c932e6714fc58d 3845 roundcube_1.6.16+dfsg-1.dsc
04a78e28c9e7cf2f0d67d989954ebeb2693db7c25b511e37b1be851ab00ec0e4 126884 roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz
2f9513c4c9f4b4f486a2a10614a9215acb41e94374ec453d656ea420d8e4e168 1928780 roundcube_1.6.16+dfsg.orig-tinymce.tar.xz
491d92dee757bc22672181d42fb09334d83826cace9d4f7ea0b2ac0fc0355a77 2793532 roundcube_1.6.16+dfsg.orig.tar.xz
a33b00bca2f9d23cedfba49e7a6e6b5889a38a730703097de3403a7f80fb79cf 158648 roundcube_1.6.16+dfsg-1.debian.tar.xz
e1ff92ecae989bb52eef93e40e0ec24bb7f45e5a5fc58068dda007fb832aadb4 6185 roundcube_1.6.16+dfsg-1_source.buildinfo
Files:
e06c2588e866b4f8b9d5295216ed0f4f 3845 web optional roundcube_1.6.16+dfsg-1.dsc
f2adaee4ceaeb18948b7c3fcd3b76dca 126884 web optional roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz
543ea8ab031d4a17869930bc16287e9c 1928780 web optional roundcube_1.6.16+dfsg.orig-tinymce.tar.xz
7fd70691566a18ddd6e74a13a5a677d0 2793532 web optional roundcube_1.6.16+dfsg.orig.tar.xz
032a53fcda2058d64011db7e8c15281a 158648 web optional roundcube_1.6.16+dfsg-1.debian.tar.xz
c1264abc59c7aee2c205bf441b3d9896 6185 web optional roundcube_1.6.16+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmoTf+kACgkQ05pJnDwh
pVJASw//eVs+ZUBR5XOdtnmi9VoX+z2QRE3C94XDdMBxwYlgzwbVZ5HBKQGGhhel
FDXRu/6fmbXZZIJAVlRV+4gDwBdU42mlZ8kaqH08fqWa+2k4zWgjoJFZ6yFi2i2/
BCMZQz2ohMDeNmqZLrAQdR4w2jP8vELJ/H0SDRVkUF1IgB+6BlZdOBq7JlYq3VOG
b5b+z6OlV2fx8r6u8nHIHXJc4O6kr2/HiF4N+TZgikCVE4bxvsFjo4xu1X7drFGu
435pZGIsaBhlAwYq9EV4qCReeV8NYZVLkCkAHjj/ZiiTn8je7E59nLctGHKLJYz1
UKkTmJ2Ux2z+A8QHA8v2Mgx0mJIqcmRQnlsVpwGRGNk6P8ittzcCmO1r7cguZhZS
UoPS+rvQZp7gr6MeGoYVzZ9pYuw2p9w+ztEimWX7MfZsn2GjUwXiI303BmqtZy1O
xukTuVfg3IKDFSq8/XoYRZjy9d8guyYYu80Fzd1PW+FMZYbZXgHRkXl5RCTf86h6
SWxdxpToKgaXrdrx9ARW/9774NcsFLdxpQv1Qqlcmaj94u4xft/cTfjf+IU1cT7K
EOxyFjgm93/uNQP7P8ZQPbiol2DGFxD27Ypy6dfmlCDoFv0N7tuP4jllU0ruoW/Z
9AQm26tssCVr3XVsqLnUT+mhayzMP4sZKuyAvTXbNCvqNvI0CVc=
=yWIg
-----END PGP SIGNATURE-----
The CVE IDs have now been requested.
The CVE IDs have now been assigned: CVE-2026-48849 CVE-2026-48848 CVE-2026-48842 CVE-2026-48843 CVE-2026-48845 CVE-2026-48846 CVE-2026-48847 CVE-2026-48844 I'll prepare debdiffs for bookworm- and trixie-security shortly and send then to the security team for review.
Hi, Here are tested debdiffs for bookworm- and trixie-security fixing these issues. As for the previous uploads, I suggest to follow 1.6.x for trixie-security (the upstream diff [0] is pretty targeted already) and backport targeted fixes for bookworm-security. There is a lot of added complexity in the custom patch d/p/Avoid-dependency-on-new-package-mlocati-ip-lib.patch (which fixes CVE-2026-35540 and its follow-up CVE-2026-48843 in a native fashion), but I also added a lot of unit tests for the new function and tested it on 32-bits platform (where 2³²-1 exceeds PHP_INT_MAX) and on both big and little endian platforms. The reason for the added complexity is to cover IPv4 that are not formatted in the dotted-quad and dotted-decimal notation, see inet_aton(3). For instance http://192.11010306, http://0xc0A80102, and http://192.0250.1.2 all escape the original fix for CVE-2026-35540, but GuzzleHTTP (and also ping(1) and Firefox) would happily normalize to http://192.168.1.2 thereby causing SSRF.
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1137507@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 25 May 2026 23:06:33 +0200
Source: roundcube
Architecture: source
Version: 1.6.16+dfsg-0+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 1137507
Changes:
roundcube (1.6.16+dfsg-0+deb13u1) trixie-security; urgency=high
.
* New upstream security and bugfix release (closes: #1137507).
+ Fix CVE-2026-48842: pre-auth SQL injection in `virtuser_query plugin`
via `preg_replace()` backslash escape bypass.
+ Fix CVE-2026-48843: SSRF bypass via specific local address URLs. Add
support non quad-dotted IPs and non-decimal fields to
d/p/Avoid-dependency-on-new-package-mlocati-ip-lib.patch in order to
match the new upstream behavior.
+ Fix CVE-2026-48844: Code injection vulnerability via code evaluation
support in LDAP autovalues option. Code evaluation support has now been
removed.
+ Fix CVE-2026-48845: Local/private URL fetch bypass when remote resources
were not allowed.
+ Fix CVE-2026-48846: Bypass of remote image blocking via CSS `var()`.
+ Fix CVE-2026-48847: Pre-auth arbitrary file delete via redis/memcache
session poisoning bypass.
+ Fix CVE-2026-48848: CSS injection bypass in HTML sanitizer via SVG
<animate attributeName="style">.
+ Fix CVE-2026-48849: Stored XSS/HTML/CSS injection in subject field of
the draft restore dialog.
+ Fix PHP8 warnings.
+ Fix potential too long value in IMAP ID command.
* Refresh d/patches.
Checksums-Sha1:
00d6e7760f0149a4e429615c69f0b7d3c97babbd 3860 roundcube_1.6.16+dfsg-0+deb13u1.dsc
1a3cd9678dcb0a130681a4fbe1eca68052d00d5b 126884 roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz
38c2baef9e85c0d497c31715eeba89ba8dd4d8b3 1928780 roundcube_1.6.16+dfsg.orig-tinymce.tar.xz
f18404da6e008cd6b488bcdfde8feee9244b7c93 2793532 roundcube_1.6.16+dfsg.orig.tar.xz
d0d3461b6c8f50c6a3cc250cd88dd837786c11f0 157428 roundcube_1.6.16+dfsg-0+deb13u1.debian.tar.xz
ad316f2e1c5436536f487af67ce207eb7de19b6d 6217 roundcube_1.6.16+dfsg-0+deb13u1_source.buildinfo
Checksums-Sha256:
9082145d643bec4d14537a673f5dee4e4cff8b821fdc4c615a0aff8f0982dc75 3860 roundcube_1.6.16+dfsg-0+deb13u1.dsc
04a78e28c9e7cf2f0d67d989954ebeb2693db7c25b511e37b1be851ab00ec0e4 126884 roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz
2f9513c4c9f4b4f486a2a10614a9215acb41e94374ec453d656ea420d8e4e168 1928780 roundcube_1.6.16+dfsg.orig-tinymce.tar.xz
491d92dee757bc22672181d42fb09334d83826cace9d4f7ea0b2ac0fc0355a77 2793532 roundcube_1.6.16+dfsg.orig.tar.xz
738145af51966bc48d47e3e973e8885b53281dc15990f3c95b0cd530436a426f 157428 roundcube_1.6.16+dfsg-0+deb13u1.debian.tar.xz
dce71d86bfec88b2b48ff45b44aaba5e18ed871dc999ae4b4ac31a4e9b9810c9 6217 roundcube_1.6.16+dfsg-0+deb13u1_source.buildinfo
Files:
1bf13b8900082211ea096c21b4669b58 3860 web optional roundcube_1.6.16+dfsg-0+deb13u1.dsc
f2adaee4ceaeb18948b7c3fcd3b76dca 126884 web optional roundcube_1.6.16+dfsg.orig-tinymce-langs.tar.xz
543ea8ab031d4a17869930bc16287e9c 1928780 web optional roundcube_1.6.16+dfsg.orig-tinymce.tar.xz
7fd70691566a18ddd6e74a13a5a677d0 2793532 web optional roundcube_1.6.16+dfsg.orig.tar.xz
95eede9c07b26d16c3f56484ab896d9d 157428 web optional roundcube_1.6.16+dfsg-0+deb13u1.debian.tar.xz
c6cf238252a4ed71d303e3e9377293e5 6217 web optional roundcube_1.6.16+dfsg-0+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmoUu6MACgkQ05pJnDwh
pVI3WQ/+PNRHSvUy5JYlbDDng7n7Vu9/fl9T0LQ9GnxVQ3D978whmXuMG5g24URn
JDY1+iHE6ech4ZDsG5/MjZaHgnZMY6RAt6I+b7mvy+I4+BePpDV/8BYv/0pxrrUo
M/qn1yoIPxQB12F73ujxYeoBT9puubqjFzceJsQdcb0czJpOXLXxBa6DDOqOb/iT
Jykp6VxYtDGsAOC6PBCdDIS55RRn8oocB/XgbrjtumJQGLQIFR0e5TC3xyvzEPEa
WckuNFI98Zhq4p3hd9cixPEB3Xy6orGIJobBjfFO6sFiIayTw351U3lrW+Zy92oY
oNYbrf3V480Cu0STVvgO54ieRtKXxO1qTZm6QgmMX69qNhZj1Y1i/wzqkHsghYkD
Q/crXbyEwk3Uw90t8ytsT7CBuoKGd6mc6ewzPGG+OFg4cEpu24YS9eTbO2VVp8EY
C5yfhnp3JS48DlNLbd3DMrQDv01TMgjeo5lTm+iNWBKEm7kGB1e0+UGXwePeQYLw
KRMad9zwMdAqEz9xz6gVCHMDQAKZl+5gLLntVPEiDE12pU2qajvkNlThQ73jVXp/
PZucf/Md9sJ94n+VR+rstBO3cpO+idKP5sXiMcUpxhIQjgzDcpTFa2Dt0ksTsxPa
D5PcrQe4BhOM8s6HWQb+lPSkmjaFlweVbfOjGYZ3Y7xzTqS2RXo=
=fFDb
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1137507@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 26 May 2026 01:08:43 +0200
Source: roundcube
Architecture: source
Version: 1.6.5+dfsg-1+deb12u9
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 1137507
Changes:
roundcube (1.6.5+dfsg-1+deb12u9) bookworm-security; urgency=high
.
* Cherry pick upstream security fixes from v1.6.16 (closes: #1137507).
+ Fix CVE-2026-48842: pre-auth SQL injection in `virtuser_query` plugin
via `preg_replace()` backslash escape bypass.
+ Fix CVE-2026-48843: SSRF bypass via specific local address URLs. Add
support non quad-dotted IPs and non-decimal fields to
d/p/Avoid-dependency-on-new-package-mlocati-ip-lib.patch in order to
match the new upstream behavior.
+ Fix CVE-2026-48844: Code injection vulnerability via code evaluation
support in LDAP autovalues option. Code evaluation support has now been
removed.
+ Fix CVE-2026-48845: Local/private URL fetch bypass when remote resources
were not allowed.
+ Fix CVE-2026-48846: Bypass of remote image blocking via CSS `var()`.
+ Fix CVE-2026-48847: Pre-auth arbitrary file delete via redis/memcache
session poisoning bypass.
+ Fix CVE-2026-48848: CSS injection bypass in HTML sanitizer via SVG
<animate attributeName="style">.
+ Fix CVE-2026-48849: Stored XSS/HTML/CSS injection in subject field of
the draft restore dialog.
Checksums-Sha1:
7acc95933e8736b7d6b43bddfab968cc2caf3137 3833 roundcube_1.6.5+dfsg-1+deb12u9.dsc
4f207980ea7b88a97f6cf35be9981f4dcb70e93b 135936 roundcube_1.6.5+dfsg-1+deb12u9.debian.tar.xz
a814b7fe1d5ad70c7af1ca117068f9012a1eff88 6213 roundcube_1.6.5+dfsg-1+deb12u9_source.buildinfo
Checksums-Sha256:
fb351499dd0090142be2e52f74b13fb06cbafc7d8fb06182ae50a6ef3d35e555 3833 roundcube_1.6.5+dfsg-1+deb12u9.dsc
e01d78a17b10c6b23f494ae25e1180803b30bb56414107fdf2ba45f6f72fe5a0 135936 roundcube_1.6.5+dfsg-1+deb12u9.debian.tar.xz
792c2aa25b49b1971c90ea0f3221812eb721beea9e086e9ed9dab99a5ff1940b 6213 roundcube_1.6.5+dfsg-1+deb12u9_source.buildinfo
Files:
9624bca0541d7b274830e34a311eb22d 3833 web optional roundcube_1.6.5+dfsg-1+deb12u9.dsc
2b0e1895c688c8eacb2d9679a78d5a8e 135936 web optional roundcube_1.6.5+dfsg-1+deb12u9.debian.tar.xz
7e0b0e7078bc8e42638f718e2765298c 6213 web optional roundcube_1.6.5+dfsg-1+deb12u9_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmoWuR0ACgkQ05pJnDwh
pVJbMQ//Sw9z10svHsr9ityx3bpVytowJV97vf28qDiF5knWYPfk2WzlNvpooZZV
1q9tHCzRo+7pVnx1TzLKk0iJfQV8mdTCPawqkisUiQthOSfvpj9+wvH3ijf1sbIB
W0OGCYff2Oww2ivJAuRjgYcIHyAyreOyS8ZZUPQXkppV7FHTzniDCTPwmY55YXJT
Yfxhp5SCg4koR6Oc+Y6JOEv9J+EVarqe80efVui5MOCw5weg58bsMMWavZWuzDKo
NdTWSguF9hdzRYSgM39Iw/py5WclYZWWYlUUr0LOO6+8av8kF2RX5TtGMbzioMBv
8VxnrewTb68B9i3zyH5yhN5IGbjy1eNpTTsNdr9lX+VoI0hHc6igjAwmM6TgsmGI
wruxoko9viibjHOEnhVg36kq+rHSGqre5CKXasY72dxusc7PquNI/FncJ2uj0b+P
RBW4diMUa0EqW05qLSgQL5FBMI5DKWAqPKbdq6czMD93iK4niHD1D+5hj+krNsEo
hTIwZqA53HE3wYH3I1B0dj3s0Y/o7MA8HbfUXSxGFQQlCiDdzZpfovL4Apu1Vgsy
/qdYwCGPkEMZrf0WDLFF6RGRhL8tdQzx1+0cBt59b2KTiqB9mtPXMtxvwgjGHtZ1
rPmD2JvwHdSfdbsV7YB5FwXTpGAsyFcFXqbTyX4huKci1TGiK1Y=
=c3RL
-----END PGP SIGNATURE-----