CVE-2026-26079/CVE-2026-25916: Roundcube vulns prior to 1.5.13/1.6.13

[Valtteri Vuorikoski <vuori () notcom org>]

Roundcube, a PHP-based webmail frontend, released a series of security updates
on Feb 8, again with little fanfare. From the release announcement:

 * Fix CSS injection vulnerability reported by CERT Polska.

 * Fix remote image blocking bypass via SVG content reported by nullcathedral.

There are fixed in the newly-released versions 1.5.13 and 1.6.13. While not
mentioned in the official annoucement, these appear to be CVE-2026-26079 (4.7)
and CVE-2026-25916 (4.3) respectively.

Full announcement:
https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13

 -Valtteri