Advisories » MGASA-2026-0065

Updated roundcubemail packages fix security vulnerabilities

Publication date: 24 Mar 2026
Modification date: 24 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-25916 , CVE-2026-26079

Description

Fix pre-auth arbitrary file write via unsafe deserialization in
redis/memcache session handler, reported by y0us.
Fix bug where a password could get changed without providing the old
password, reported by flydragon777.
Fix IMAP Injection + CSRF bypass in mail search, reported by Martila
Security Research Team.
Fix remote image blocking bypass via various SVG animate attributes,
reported by nullcathedral.
Fix remote image blocking bypass via a crafted body background
attribute, reported by nullcathedral.
Fix fixed position mitigation bypass via use of !important, reported by
nullcathedral.
Fix XSS issue in a HTML attachment preview, reported by aikido_security.
Fix SSRF + Information Disclosure via stylesheet links to a local
network hosts, reported by Georgios Tsimpidas (aka Frey), Security
Researcher at https://i0.rs/.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=35237
• https://github.com/roundcube/roundcubemail/releases/tag/1.6.14
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25916
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26079

SRPMS

9/core

• roundcubemail-1.6.14-1.mga9