• The APS Catalog has been deprecated and removed from all Plesk Obsidian versions.
    Applications already installed from the APS Catalog will continue working. However, Plesk will no longer provide support for APS applications.
  • Please be aware: with the Plesk Obsidian 18.0.78 release, the support for the ngx_pagespeed.so module will be deprecated and removed from the sw-nginx package.

Question When will Plesk update Roundcube to 1.6.16 / 1.7.1? (Multiple CVEs)

D

dm-othmer

New Pleskian
Server operating system version
Ubuntu 24.04
Plesk version and microupdate number
18.0.78 #2
Hi Plesk Team and Community,

On May 24, 2026, the Roundcube project released critical security updates — versions 1.6.16 and 1.7.1 — addressing 8 security vulnerabilities, several of which are pre-authentication or require no user interaction:
  • CVE-2026-48842
  • CVE-2026-48843
  • CVE-2026-48845
  • CVE-2026-48846
  • CVE-2026-48847
  • CVE-2026-48848
  • CVE-2026-48844
  • CVE-2026-48849

Changelog Snippet:
  • Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
  • Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">
  • Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass
  • Security: Fix SSRF bypass via specific local address URLs
  • Security: Fix bypass of remote image blocking via CSS var()
  • Security: Fix local/private URL fetch bypass when remote resources were not allowed
  • Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
  • Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option

The Roundcube team strongly recommends updating all production installations immediately.
Release announcement: Security updates 1.6.16 and 1.7.1 released

My question to the Plesk team:
When can we expect Plesk to ship the updated Roundcube packages (1.6.16 or 1.7.1) through the standard Plesk update mechanism?

Given that at least two of these vulnerabilities are pre-authentication (SQL injection + arbitrary file deletion), this is a high-severity issue for any publicly accessible Plesk server with Roundcube enabled. A timeline or interim mitigation guidance would be greatly appreciated.

Thank you!
 
Hello!

> When can we expect Plesk to ship the updated Roundcube packages (1.6.16 or 1.7.1) through the standard Plesk update mechanism?

Likely in the beginning of the next week.

> Given that at least two of these vulnerabilities are pre-authentication (SQL injection + arbitrary file deletion), this is a high-severity issue for any publicly accessible Plesk server with Roundcube enabled.

Plesk don't enable virtuser_query plugin in Roundcube as well as not use redis/memache for session storage in Roundcube.
 
You must log in or register to reply here.

Similar threads

T
Issue [BUG] sw-nginx 1.30.1 (CVE-2026-42945 patch) crashes with SIGABRT on AlmaLinux 9.7 + OpenSSL 3.5.1
Replies
6
Views
382
Kaspar
K
R
Resolved CVE-2026-42945 Nginx Rift and older Wordpress Toolkit heads up
Replies
14
Views
3K
rhall
R
M
Resolved Roundcube vulnerability CVE-2025-49113
2
Replies
29
Views
14K
Sebahat.hadzhi
Sebahat.hadzhi
M
Issue [CVE-2025-40778] BIND 9 Resolver Enables Cache Poisoning Via Unsolicited Answers
Replies
2
Views
3K
Kaspar
K
C
Issue Plesk-mail-pc-driver update 18.0.76.5 causes Dovecot authentication database desync on every automatic update
Replies
6
Views
2K
Sebahat.hadzhi
Sebahat.hadzhi
Back
Top