Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.

The remote openSUSE 16 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20323-1 advisory.

    Changes to roundcubemail:

    Update to 1.6.13:

      This is a security update to the stable version 1.6 of Roundcube Webmail.
      It provides fixes to recently reported security vulnerabilities:
      - Fix CSS injection vulnerability reported by CERT Polska (boo#1258052,         CVE-2026-26079).
      - Fix remote image blocking bypass via SVG content reported by nullcathedral         (boo#1257909, CVE-2026-25916).

      This version is considered stable and we recommend to update all productive       installations of Roundcube 1.6.x with it. Please do backup your data       before updating!

      CHANGELOG
      - Managesieve: Fix handling of string-list format values for date         tests in Out of Office (#10075)
      - Fix CSS injection vulnerability reported by CERT Polska.
      - Fix remote image blocking bypass via SVG content reported by nullcathedral.

    Update to 1.6.12:

      This is a security update to the stable version 1.6 of Roundcube Webmail.
      It provides fixes to recently reported security vulnerabilities:

      - Fix Cross-Site-Scripting vulnerability via SVG's animate tag         reported by Valentin T., CrowdStrike (boo#1255308, CVE-2025-68461).
      - Fix Information Disclosure vulnerability in the HTML style         sanitizer reported by somerandomdev (boo#1255306, CVE-2025-68460).

      This version is considered stable and we recommend to update all       productive installations of Roundcube 1.6.x with it.

      - Support IPv6 in database DSN (#9937)
      - Don't force specific error_reporting setting
      - Fix compatibility with PHP 8.5 regarding array_first()
      - Remove X-XSS-Protection example from .htaccess file (#9875)
      - Fix Assign to group action state after creation of a first group (#9889)
      - Fix bug where contacts search would fail if contactlist_fields contained vcard fields (#9850)
      - Fix bug where an mbox export file could include inconsistent message delimiters (#9879)
      - Fix parsing of inline styles that aren't well-formatted (#9948)
      - Fix Cross-Site-Scripting vulnerability via SVG's animate tag
      - Fix Information Disclosure vulnerability in the HTML style sanitizer

    Update to 1.6.11

      This is a security update to the stable version 1.6 of Roundcube Webmail.
      It provides fixes to recently reported security vulnerabilities:
      * Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v.

    - CHANGELOG
      * Managesieve: Fix match-type selector (remove unsupported options) in delete header action (#9610)
      * Improve installer to fix confusion about disabling SMTP authentication (#9801)
      * Fix PHP warning in index.php (#9813)
      * OAuth: Fix/improve token refresh
      * Fix dark mode bug where wrong colors were used for blockquotes in HTML mail preview (#9820)
      * Fix HTML message preview if it contains floating tables (#9804)
      * Fix removing/expiring redis/memcache records when using a key prefix
      * Fix bug where a wrong SPECIAL-USE folder could have been detected, if there were more than one per-     type (#9781)
      * Fix a default value and documentation of password_ldap_encodage option (#9658)
      * Remove mobile/floating Create button from the list in Settings > Folders (#9661)
      * Fix Delete and Empty buttons state while creating a folder (#9047)
      * Fix connecting to LDAP using ldapi:// URI (#8990)
      * Fix cursor position on below the quote reply in HTML mode (#8700)
      * Fix bug where attachments with content type of application/vnd.ms-tnef were not parsed (#7119)

    Update to 1.6.10:

      This is the next service release to update the stable version 1.6.
      * IMAP: Partial support for ANNOTATE-EXPERIMENT-1 extension (RFC 5257)
      * OAuth: Support standard authentication with short-living password received with OIDC token (#9530)
      * Fix PHP warnings (#9616, #9611)
      * Fix whitespace handling in vCard line continuation (#9637)
      * Fix current script state after initial scripts creation in managesieve_kolab_master mode
      * Fix rcube_imap::get_vendor() result (and PHP warning) on Zimbra server (#9650)
      * Fix regression causing inline SVG images to be missing in mail preview (#9644)
      * Fix plugin virtuser_file to handle backward slashes in username (#9668)
      * Fix PHP fatal error when parsing some malformed BODYSTRUCTURE responses (#9689)
      * Fix insert_or_update() and reading database server config on PostgreSQL (#9710)
      * Fix Oauth issues with use_secure_urls=true (#9722)
      * Fix handling of binary mail parts (e.g. PDF) encoded with quoted-printable (#9728)
      * Fix links in comments and config to https:// where available (#9759, #9756)
      * Fix decoding of attachment names encoded using both RFC2231 and RFC2047 standards (#9725)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 42 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-d684b372f1 advisory.

    ## Release 1.6.13

    - Managesieve: Fix handling of string-list format values for date tests in Out of Office (#10075)
    - Fix remote image blocking bypass via SVG content reported by nullcathedral
    - Fix CSS injection vulnerability reported by CERT Polska





Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-547e298156 advisory.

    ## Release 1.6.13

    - Managesieve: Fix handling of string-list format values for date tests in Out of Office (#10075)
    - Fix remote image blocking bypass via SVG content reported by nullcathedral
    - Fix CSS injection vulnerability reported by CERT Polska





Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 12 / 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6137 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6137-1                   security@debian.org     https://www.debian.org/security/                       Sebastien Delafond     February 17, 2026                     https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : roundcube     CVE ID         : CVE-2026-25916 CVE-2026-26079     Debian Bug     : 1127447

    CERT Polska and nullcathedral discovered that roundcube, a skinnable     AJAX based webmail solution for IMAP servers, did not correctly     process and sanitize requests. This would allow an attacker to perform     CSS injection attacks, or leak sensitive information.

    For the oldstable distribution (bookworm), these problems have been fixed     in version 1.6.5+dfsg-1+deb12u7.

    For the stable distribution (trixie), these problems have been fixed in     version 1.6.13+dfsg-0+deb13u1.

    We recommend that you upgrade your roundcube packages.

    For the detailed security status of roundcube please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/roundcube

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4480 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-4480-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                       Guilhem Moulin     February 17, 2026                             https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : roundcube     Version        : 1.4.15+dfsg.1-1+deb11u7     CVE ID         : CVE-2026-25916 CVE-2026-26079     Debian Bug     : 1127447

    Vulnerabilities were discovered in Roundcube, a skinnable AJAX based     webmail solution for IMAP servers, which might lead to information     disclosure or privilege escalation.

    CVE-2026-25916

        NULL CATHEDRAL discovered that the HTML sanitizer doesn't treat SVG         `<feImage href=>` as an image source.  This allows attackers to         bypass remote image blocking to track email open action or         potentially bypass access control.

    CVE-2026-26079

        CERT Polska discovered that CSS code in text/html emails were         insufficiently sanitized, allowing an attacker to inject malicious         stylesheet rules.

    For Debian 11 bullseye, these problems have been fixed in version     1.4.15+dfsg.1-1+deb11u7.

    We recommend that you upgrade your roundcube packages.

    For the detailed security status of roundcube please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/roundcube

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote web server is running Roundcube Webmail version 1.5.x prior to 1.5.13 or 1.6.x prior to 1.6.13. It is, therefore, affected by multiple vulnerabilities:

  - A Cascading Style Sheets (CSS) injection vulnerability exists due to mishandling of comments. A remote attacker     could exploit this to inject arbitrary CSS. (CVE-2026-26079)

  - A remote image blocking bypass exists because SVG feImage elements are not blocked when the 'Block remote images'     setting is used. A remote attacker could exploit this to load remote images. (CVE-2026-25916)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g.,     because comments are mishandled. (CVE-2026-26079)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
301453	openSUSE 16 Security Update : roundcubemail (openSUSE-SU-2026:20323-1)	Nessus	SuSE Local Security Checks	high
299624	Fedora 42 : roundcubemail (2026-d684b372f1)	Nessus	Fedora Local Security Checks	medium
299620	Fedora 43 : roundcubemail (2026-547e298156)	Nessus	Fedora Local Security Checks	medium
299290	Debian dsa-6137 : roundcube - security update	Nessus	Debian Local Security Checks	medium
299289	Debian dla-4480 : roundcube - security update	Nessus	Debian Local Security Checks	medium
298770	Roundcube Webmail 1.5.x < 1.5.13 / 1.6.x < 1.6.13 Multiple Vulnerabilities	Nessus	CGI abuses	medium
298655	Linux Distros Unpatched Vulnerability : CVE-2026-26079	Nessus	Misc.	medium

Detections

Analytics

CVE-2026-26079

medium

Tenable Plugins

high

medium

medium

medium

medium

medium

medium