Roundcube 1.6.12
16 December 2025
Roundcube version 1.6.12 is now available (security release).
Upgrading to Roundcube 1.6.12
Roundcube 1.6.12 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Roundcube updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Roundcube install to test the 1.6.12 upgrade prior to applying it live. Get started managing your Roundcube installations with Installatron
What's New in Roundcube 1.6.12
This is a security update to the stable version 1.6 of Roundcube Webmail.
Security
- Fix Cross-Site-Scripting vulnerability via SVG's animate tag reported by Valentin T., CrowdStrike.
- Fix Information Disclosure vulnerability in the HTML style sanitizer reported by somerandomdev.
Bug Fixes and Changes
- Support IPv6 in database DSN (#9937)
- Don't force specific error_reporting setting
- Fix compatibility with PHP 8.5 regarding array_first()
- Remove X-XSS-Protection example from .htaccess file (#9875)
- Fix "Assign to group" action state after creation of a first group (#9889)
- Fix bug where contacts search would fail if contactlist_fields contained vcard fields (#9850)
- Fix bug where an mbox export file could include inconsistent message delimiters (#9879)
- Fix parsing of inline styles that aren't well-formatted (#9948)
- Fix Cross-Site-Scripting vulnerability via SVG's animate tag
- Fix Information Disclosure vulnerability in the HTML style sanitizer