Critical Roundcube Webmail Vulnerabilities Patched in Urgent Security Update Roundcube Webmail users must update their systems following the disclosure of multiple severe vulnerabilities, including a critical pre-authentication SQL injection flaw that allows attackers to execute malicious database queries without requiring login credentials. The vulnerabilities were addressed in versions 1.6.16 and 1.7.1, released on May 24, 2026, as part of a high-priority security patch affecting both long-term support and current versions. The most severe issue a pre-authentication SQL injection in the virtuser_query plugin stems from improper input sanitization due to a preg_replace backslash escape bypass. This flaw enables unauthenticated attackers to inject arbitrary SQL commands, risking unauthorized data access, database manipulation, or privilege escalation. Additional vulnerabilities include: - A code injection flaw in the LDAP autovalues option, now patched by removing unsafe code evaluation. - A stored XSS vulnerability in the draft restore dialog’s subject field, allowing HTML/CSS injection. - A CSS injection bypass via SVG animate elements in the HTML sanitizer. - An SSRF bypass using crafted local address URLs and a remote resource fetch bypass when blocking external content. - A pre-auth arbitrary file deletion vulnerability via Redis or Memcache session poisoning. - A remote image blocking bypass through CSS var() manipulation. The vulnerabilities were reported by security researchers, including Orange Cyberdefense’s Vulnerability Disclosure Team and independent contributors, underscoring the role of coordinated disclosure in mitigating risks. All Roundcube installations running 1.6.x or 1.7.x are affected, with administrators urged to upgrade immediately to 1.6.16 or 1.7.1 to prevent exploitation. The severity of these flaws particularly the pre-auth SQL injection makes this update critical for organizations using Roundcube, especially in internet-facing environments.