may 24, 2026
1 link from the engineering internet.
github.com
osssystems
roundcube 1.7.1 and 1.6.16 ship 8 security fixes
security patches for both stable branches close pre-auth sql injection, session poisoning bypass, ldap code injection, and css var() ssrf bypass. eight vulnerabilities fixed, some requiring no authentication to trigger.