Roundcube, the widely used open-source webmail software, has officially released critical security updates to address two significant vulnerabilities in its 1.6 and 1.5 LTS (Long-Term Support) versions.
These flaws could allow attackers to execute malicious scripts or expose sensitive information, posing a risk to organizations and individuals relying on the platform for email communication.
The maintainers of Roundcube Webmail published the security fixes on December 13, 2025, urging administrators to update their installations immediately.
The new release versions, 1.6.12 and 1.5.12, specifically address these reported issues to secure the email environment against potential exploitation.
The Vulnerabilities
The first and most concerning issue addressed in this update is a Cross-Site Scripting (XSS) vulnerability.
This flaw was discovered in how the software handles SVG (Scalable Vector Graphics) images, specifically involving the animate tag.
The second vulnerability is an Information Disclosure flaw located within the HTML style sanitizer.
This component is responsible for cleaning up HTML emails to ensure they don’t contain harmful code.
However, a bypass in this sanitizer could allow an attacker to reveal data that should remain hidden.
While typically less severe than remote code execution, information disclosure can often be chained with other exploits to further compromise a system. This issue was reported by a researcher known as “somerandomdev.”
The Roundcube team has strongly recommended that all productive installations running the 1.6.x and 1.5.x branches be updated immediately to the latest versions (1.6.12 and 1.5.12).
For administrators, the complete changelogs and download files are available on the official Roundcube GitHub release pages. Keeping webmail clients patched is essential, as they are often public-facing entry points into an organization’s internal network.
Failure to apply these patches could leave users vulnerable to targeted XSS attacks aimed at compromising email accounts and sensitive communications.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.