MGASA-2026-0065

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2026-0065.html

Import Source

https://advisories.mageia.org/MGASA-2026-0065.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2026-0065

Related

Published

2026-03-24T17:53:34Z

Modified

2026-03-24T18:00:06.120361Z

Summary

Updated roundcubemail packages fix security vulnerabilities

Details

Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler, reported by y0us. Fix bug where a password could get changed without providing the old password, reported by flydragon777. Fix IMAP Injection + CSRF bypass in mail search, reported by Martila Security Research Team. Fix remote image blocking bypass via various SVG animate attributes, reported by nullcathedral. Fix remote image blocking bypass via a crafted body background attribute, reported by nullcathedral. Fix fixed position mitigation bypass via use of !important, reported by nullcathedral. Fix XSS issue in a HTML attachment preview, reported by aikido_security. Fix SSRF + Information Disclosure via stylesheet links to a local network hosts, reported by Georgios Tsimpidas (aka Frey), Security Researcher at https://i0.rs/.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:9 / roundcubemail

Package

Name: roundcubemail
Purl: pkg:rpm/mageia/roundcubemail?arch=source&distro=mageia-9

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6.14-1.mga9

Ecosystem specific

{
    "section": "core"
}

Database specific

source

"https://advisories.mageia.org/MGASA-2026-0065.json"