Overview
Roundcube Webmail is a long-standing, widely trusted open-source webmail platform used by shared hosting providers, enterprises, universities, and government environments. Because it sits directly between users and their email, any weakness in how it handles content can have immediate and serious consequences.
On 13 December 2025, the Roundcube project released security-driven updates for both supported branches:
- Roundcube 1.6.12 (current stable)
- Roundcube 1.5.12 (Long-Term Support)
These releases were issued specifically to fix two serious client-side vulnerabilities affecting how emails are rendered in the browser. The flaws do not require server compromise and can be triggered simply by a user opening or previewing a malicious email. That is what made this update urgent.
However, to fully understand the risk, it’s important to view these issues in the broader historical context of Roundcube vulnerabilities over the last few years.
What Went Wrong in December 2025
1) Cross-Site Scripting (XSS) via SVG Content
What actually happened
Roundcube allows HTML emails to display images, including SVG files. SVGs are not just images — they are XML-based and can include scripting or animation elements.
Roundcube’s sanitization logic failed to fully block certain SVG animation tags. This meant a specially crafted SVG embedded in an email could execute JavaScript inside the webmail interface.
Why this matters
If exploited, an attacker could:
- Run JavaScript in the context of the logged-in user
- Steal session cookies
- Read or exfiltrate emails
- Send messages as the victim
- Modify account settings or preferences
The attacker does not need server access, admin rights, or a stolen password.
The only requirement is that the victim views the malicious email.
This places the attack squarely in the category of high-impact XSS, especially dangerous in webmail software.
2) Information Disclosure via HTML/CSS Sanitizer
What actually happened
Roundcube uses an internal HTML/CSS sanitizer to strip unsafe styles from emails. Certain edge-case CSS and HTML constructs were not fully cleaned, allowing attackers to bypass filtering.
What attackers could gain
This flaw could allow:
- Exposure of filtered or hidden content
- Leakage of internal rendering behavior
- Better understanding of how to craft future payloads
While not as immediately destructive as XSS, this kind of information disclosure often serves as a stepping stone to more severe attacks.
Why the Combined Impact Is Serious
When these two flaws exist together:
- Attackers can probe what content is allowed
- Refine payloads using leaked rendering behavior
- Deliver more reliable XSS attacks
- Compromise user sessions quietly
Because Roundcube runs inside the browser and processes sensitive data (emails, contacts, authentication cookies), the impact is user-level account compromise at scale.
Historical Vulnerabilities: What Has Been Fixed in Recent Years
The December 2025 issues did not appear in isolation. Roundcube has faced several significant vulnerabilities in recent releases, many of which were actively exploited before patches were applied.
Critical RCE – CVE-2025-49113 (Earlier in 2025)
Nature of the flaw
This was a post-authentication remote code execution vulnerability. It affected Roundcube versions:
- Below 1.5.10
- Below 1.6.11
The issue stemmed from unsafe PHP object deserialization in the file upload logic. A specially crafted request parameter could be abused by an authenticated user to execute arbitrary PHP code on the server.
Impact
- Full server compromise
- Ability to run arbitrary commands
- Data theft, persistence, lateral movement
Why it was critical
Although authentication was required, many real-world environments have:
- Compromised user credentials
- Shared hosting users
- Webmail exposed to large user populations
Once a single account was compromised, the server itself could fall.
Remediation
This flaw was fixed in:
- Roundcube 1.5.10
- Roundcube 1.6.11
Older XSS Vulnerabilities (2023–2024)
Before the December 2025 SVG issue, Roundcube had already addressed multiple XSS flaws, including vulnerabilities that allowed:
- Script execution via crafted HTML emails
- Credential and email theft
- Exploitation through preview panes
Some of these were actively used in targeted phishing campaigns, especially against shared hosting and institutional webmail deployments.
These were patched incrementally, but they highlight a consistent theme:
HTML and email rendering remain the highest-risk area in Roundcube.
What This History Tells Us
Taken together, these issues show a clear pattern:
- Roundcube is a high-value target because of its role
- Most severe vulnerabilities involve:
- HTML rendering
- Input sanitization
- Deserialization logic
- Attacks often require minimal user interaction
- Delayed patching significantly increases real-world risk
This does not mean Roundcube is unsafe by design — it means that running outdated versions is dangerous.
What Administrators Must Do Now
If you operate or manage Roundcube:
1) Verify your version immediately
You are vulnerable if you are running:
- Any 1.6.x version before 1.6.12
- Any 1.5.x LTS version before 1.5.12
2) Apply the official security updates
Upgrade to:
- Roundcube 1.6.12
- Roundcube 1.5.12 (LTS)
Official patch source (updates only):
3) After patching
- Clear application caches
- Restart web services if required
- Confirm the version number is updated
- Review logs for unusual session behavior prior to patching
Final Takeaway
The December 2025 update closed real, exploitable vulnerabilities, not theoretical ones. When combined with earlier flaws — including a critical server-side RCE earlier in the year — it becomes clear that timely updates are non-negotiable for Roundcube deployments.
Unpatched webmail software does not just risk downtime.
It risks silent account compromise, data exposure, and loss of trust.
