oss-sec mailing list archives

Re: CVE-2026-35537+more: Roundcube arbitrary write + ID/XSS/etc. prior to 1.6.14


From: Valtteri Vuorikoski <vuori () notcom org>
Date: Sat, 11 Apr 2026 16:31:34 +0300

Addendum: versions 1.5.15/1.6.15 were released March 29 that correct regressions introduced
in 1.5.14/1.6.14 and fix one more cross-site issue:

  * SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via
  fill/filter/stroke, reported by class_nzm.

Announcement is at
<https://roundcube.net/news/2026/03/29/security-updates-1.7-rc6-1.6.15-1.5.15>. This
appears to be CVE-2026-35545.

 -Valtteri
 


Current thread: