[SECURITY] [DSA 6301-1] roundcube security update

To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 6301-1] roundcube security update
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 27 May 2026 21:01:07 +0000
Message-id: <[🔎] ahdbk_z4d6nQz-Yp@seger.debian.org>
Reply-to: debian-security-announce-request@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6301-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 27, 2026                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : roundcube
CVE ID         : CVE-2026-48842 CVE-2026-48843 CVE-2026-48844 CVE-2026-48845 
                 CVE-2026-48846 CVE-2026-48847 CVE-2026-48848 CVE-2026-48849

Multiple security vulnerabilities were discovered in RoundCube Webmail,
which could result in cross-site scripting, SQL injection, SSRF bypass,
information disclosure, denial of service or code injection.

For the oldstable distribution (bookworm), these problems have been fixed
in version 1.6.5+dfsg-1+deb12u9.

For the stable distribution (trixie), these problems have been fixed in
version 1.6.16+dfsg-0+deb13u1.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/roundcube

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmoXWz8ACgkQEMKTtsN8
TjbJhg/8D6sI+vQfFO9z3NgS64mKhkRNXRBoN3YxEfNGFOJcji4WGutf8mnojHAg
nBRHs+IuSaiLEOwWvYsGnYzMFlqXqd2IVxgfyPEGQCLGtTo059XOrQCwnq0+Jxuz
QhKMtsuKM13y3EvP4KGUr91SovR5CPuE25aDdXQliP7qeps3vfyekrhf7XHgaImz
lxrm21ItPdGKmY3AcNq6OXXOx+CW4Z3WBN6eVbQpW4FdhAEWO11IqRaTbWlIjRqc
Vzk3Qrj+Mp/OyTUmd5EuN4rynrLGAnFFfm3TN/8J72uxYjn3M/WRgsvDM0LOrY/p
g6WS8Fd/XfDS3iRHRVbPaXM6Fy4wdBKhtoZzhRAZIw/upt8V8orTd4rGC8+JWTm+
UWdswO9+IoorsnbaNJEpshUkyArf6FtzbsufuNl9CFy+dMFJex1rkX0HYJkXClew
V9KHDYuRxybZitplBd3IbrU2sON2t3ycxXkZtV34J53odZWC8AQsYKTGM7MxfdN4
LErr4l+hhO+wOaG1ek9RL/1P4D7S46RET4xG0QcmEA2qYW3YmtCHsP+/ePIRuC8Z
sVQAQu52TXSglGMm3uw0kgE1ebdLyiFe0T3whZTeBWFBxQ38TFnx3OrlfcPINyPc
OkAN1QDchpd05YO5mAlQUh32hWBodV6Z8OYukE/KZgZtVBaQqBY=
=fxAg
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DSA 6300-1] node-shell-quote security update
Next by Date: [SECURITY] [DSA 6302-1] starlette security update
Previous by thread: [SECURITY] [DSA 6300-1] node-shell-quote security update
Next by thread: [SECURITY] [DSA 6302-1] starlette security update
Index(es):
- Date
- Thread