Detections
Analytics

openSUSE 16 Security Update : roundcubemail (openSUSE-SU-2026:20323-1)

high Nessus Plugin ID 301453

Language:

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20323-1 advisory.

 Changes to roundcubemail:

 Update to 1.6.13:

 This is a security update to the stable version 1.6 of Roundcube Webmail.
 It provides fixes to recently reported security vulnerabilities:
 - Fix CSS injection vulnerability reported by CERT Polska (boo#1258052, CVE-2026-26079).
 - Fix remote image blocking bypass via SVG content reported by nullcathedral (boo#1257909, CVE-2026-25916).

 This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

 CHANGELOG
 - Managesieve: Fix handling of string-list format values for date tests in Out of Office (#10075)
 - Fix CSS injection vulnerability reported by CERT Polska.
 - Fix remote image blocking bypass via SVG content reported by nullcathedral.

 Update to 1.6.12:

 This is a security update to the stable version 1.6 of Roundcube Webmail.
 It provides fixes to recently reported security vulnerabilities:

 - Fix Cross-Site-Scripting vulnerability via SVG's animate tag reported by Valentin T., CrowdStrike (boo#1255308, CVE-2025-68461).
 - Fix Information Disclosure vulnerability in the HTML style sanitizer reported by somerandomdev (boo#1255306, CVE-2025-68460).

 This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it.

 - Support IPv6 in database DSN (#9937)
 - Don't force specific error_reporting setting
 - Fix compatibility with PHP 8.5 regarding array_first()
 - Remove X-XSS-Protection example from .htaccess file (#9875)
 - Fix Assign to group action state after creation of a first group (#9889)
 - Fix bug where contacts search would fail if contactlist_fields contained vcard fields (#9850)
 - Fix bug where an mbox export file could include inconsistent message delimiters (#9879)
 - Fix parsing of inline styles that aren't well-formatted (#9948)
 - Fix Cross-Site-Scripting vulnerability via SVG's animate tag
 - Fix Information Disclosure vulnerability in the HTML style sanitizer

 Update to 1.6.11

 This is a security update to the stable version 1.6 of Roundcube Webmail.
 It provides fixes to recently reported security vulnerabilities:
 * Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v.

 - CHANGELOG
 * Managesieve: Fix match-type selector (remove unsupported options) in delete header action (#9610)
 * Improve installer to fix confusion about disabling SMTP authentication (#9801)
 * Fix PHP warning in index.php (#9813)
 * OAuth: Fix/improve token refresh
 * Fix dark mode bug where wrong colors were used for blockquotes in HTML mail preview (#9820)
 * Fix HTML message preview if it contains floating tables (#9804)
 * Fix removing/expiring redis/memcache records when using a key prefix
 * Fix bug where a wrong SPECIAL-USE folder could have been detected, if there were more than one per- type (#9781)
 * Fix a default value and documentation of password_ldap_encodage option (#9658)
 * Remove mobile/floating Create button from the list in Settings > Folders (#9661)
 * Fix Delete and Empty buttons state while creating a folder (#9047)
 * Fix connecting to LDAP using ldapi:// URI (#8990)
 * Fix cursor position on below the quote reply in HTML mode (#8700)
 * Fix bug where attachments with content type of application/vnd.ms-tnef were not parsed (#7119)

 Update to 1.6.10:

 This is the next service release to update the stable version 1.6.
 * IMAP: Partial support for ANNOTATE-EXPERIMENT-1 extension (RFC 5257)
 * OAuth: Support standard authentication with short-living password received with OIDC token (#9530)
 * Fix PHP warnings (#9616, #9611)
 * Fix whitespace handling in vCard line continuation (#9637)
 * Fix current script state after initial scripts creation in managesieve_kolab_master mode
 * Fix rcube_imap::get_vendor() result (and PHP warning) on Zimbra server (#9650)
 * Fix regression causing inline SVG images to be missing in mail preview (#9644)
 * Fix plugin virtuser_file to handle backward slashes in username (#9668)
 * Fix PHP fatal error when parsing some malformed BODYSTRUCTURE responses (#9689)
 * Fix insert_or_update() and reading database server config on PostgreSQL (#9710)
 * Fix Oauth issues with use_secure_urls=true (#9722)
 * Fix handling of binary mail parts (e.g. PDF) encoded with quoted-printable (#9728)
 * Fix links in comments and config to https:// where available (#9759, #9756)
 * Fix decoding of attachment names encoded using both RFC2231 and RFC2047 standards (#9725)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected roundcubemail package.

See Also

https://bugzilla.suse.com/1255306

https://bugzilla.suse.com/1255308

https://bugzilla.suse.com/1257909

https://bugzilla.suse.com/1258052

https://www.suse.com/security/cve/CVE-2025-68460

https://www.suse.com/security/cve/CVE-2025-68461

https://www.suse.com/security/cve/CVE-2026-25916

https://www.suse.com/security/cve/CVE-2026-26079

Plugin Details

Severity: High

ID: 301453

File Name: openSUSE-2026-20323-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 3/7/2026

Updated: 3/7/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.7

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2025-68460

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:roundcubemail

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/5/2026

Vulnerability Publication Date: 12/16/2025

CISA Known Exploited Vulnerability Due Dates: 3/13/2026

Reference Information

CVE: CVE-2025-68460, CVE-2025-68461, CVE-2026-25916, CVE-2026-26079