oss-sec mailing list archives
Re: CVE-2026-35537+more: Roundcube arbitrary write + ID/XSS/etc. prior to 1.6.14
From: Valtteri Vuorikoski <vuori () notcom org>
Date: Sat, 11 Apr 2026 16:31:34 +0300
Addendum: versions 1.5.15/1.6.15 were released March 29 that correct regressions introduced in 1.5.14/1.6.14 and fix one more cross-site issue: * SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm. Announcement is at <https://roundcube.net/news/2026/03/29/security-updates-1.7-rc6-1.6.15-1.5.15>. This appears to be CVE-2026-35545. -Valtteri
Current thread:
- CVE-2026-35537+more: Roundcube arbitrary write + ID/XSS/etc. prior to 1.6.14 Valtteri Vuorikoski (Apr 11)
- Re: CVE-2026-35537+more: Roundcube arbitrary write + ID/XSS/etc. prior to 1.6.14 Valtteri Vuorikoski (Apr 11)
