CVE-2026-26079

Name	CVE-2026-26079
Description	Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-4480-1, DSA-6137-1
Debian Bugs	1127447

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
roundcube (PTS)	bullseye	1.4.15+dfsg.1-1+deb11u4	vulnerable
	bullseye (security)	1.4.15+dfsg.1-1+deb11u7	fixed
	bookworm	1.6.5+dfsg-1+deb12u6	vulnerable
	bookworm (security)	1.6.5+dfsg-1+deb12u7	fixed
	trixie	1.6.12+dfsg-0+deb13u1	vulnerable
	trixie (security)	1.6.13+dfsg-0+deb13u1	fixed
	forky, sid	1.6.13+dfsg-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
roundcube	source	bullseye	1.4.15+dfsg.1-1+deb11u7	DLA-4480-1
roundcube	source	bookworm	1.6.5+dfsg-1+deb12u7	DSA-6137-1
roundcube	source	trixie	1.6.13+dfsg-0+deb13u1	DSA-6137-1
roundcube	source	(unstable)	1.6.13+dfsg-1		1127447

Notes

Fixed by: https://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816 (1.6.13)
Regression fix: https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447 (1.6.13)
Regression fix: https://github.com/roundcube/roundcubemail/commit/53d75d5dfebef235a344d476b900c20c12d52b01 (1.6.13)
https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13