Facebook
Twitter- Server operating system version
- Ubuntu 24.04
- Plesk version and microupdate number
- 18.0.78 #2
Hi Plesk Team and Community,
On May 24, 2026, the Roundcube project released critical security updates — versions 1.6.16 and 1.7.1 — addressing 8 security vulnerabilities, several of which are pre-authentication or require no user interaction:
Changelog Snippet:
The Roundcube team strongly recommends updating all production installations immediately.
Release announcement: Security updates 1.6.16 and 1.7.1 released
My question to the Plesk team:
When can we expect Plesk to ship the updated Roundcube packages (1.6.16 or 1.7.1) through the standard Plesk update mechanism?
Given that at least two of these vulnerabilities are pre-authentication (SQL injection + arbitrary file deletion), this is a high-severity issue for any publicly accessible Plesk server with Roundcube enabled. A timeline or interim mitigation guidance would be greatly appreciated.
Thank you!
On May 24, 2026, the Roundcube project released critical security updates — versions 1.6.16 and 1.7.1 — addressing 8 security vulnerabilities, several of which are pre-authentication or require no user interaction:
- CVE-2026-48842
- CVE-2026-48843
- CVE-2026-48845
- CVE-2026-48846
- CVE-2026-48847
- CVE-2026-48848
- CVE-2026-48844
- CVE-2026-48849
Changelog Snippet:
- Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
- Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">
- Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass
- Security: Fix SSRF bypass via specific local address URLs
- Security: Fix bypass of remote image blocking via CSS var()
- Security: Fix local/private URL fetch bypass when remote resources were not allowed
- Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
- Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option
The Roundcube team strongly recommends updating all production installations immediately.
Release announcement: Security updates 1.6.16 and 1.7.1 released
My question to the Plesk team:
When can we expect Plesk to ship the updated Roundcube packages (1.6.16 or 1.7.1) through the standard Plesk update mechanism?
Given that at least two of these vulnerabilities are pre-authentication (SQL injection + arbitrary file deletion), this is a high-severity issue for any publicly accessible Plesk server with Roundcube enabled. A timeline or interim mitigation guidance would be greatly appreciated.
Thank you!
