Roundcube has rolled out version 1.7 to address six security vulnerabilities, including two critical zero-click stored cross-site scripting (XSS) flaws. These vulnerabilities do not require any user interaction to be exploited, significantly increasing their risk profile. The update is highly recommended for immediate implementation in all production environments.

The most critical issue, identified as CVE-2026-54432, involves a stored XSS vulnerability that can be exploited through a maliciously crafted MIME type. When this unescaped MIME type is rendered on the attachment-validation warning page, it executes arbitrary JavaScript in the victim's session without any user interaction. This makes it a true zero-click attack vector.

Another closely related vulnerability, CVE-2026-54433, affects the plain-text rendering engine of Roundcube. This flaw allows attackers to inject malicious scripts into emails that execute silently when a message is viewed in plain-text mode. This bypasses the usual visual cues that users depend on to identify suspicious content.

Both vulnerabilities were discovered by Bohdan Kurinnoy at Samsung R&D Institute Ukraine, underscoring the persistent interest in webmail platforms as high-value targets for credential theft and session hijacking. In addition to the security patches, the update includes several stability improvements such as better handling of HEAD requests, correction of OAuth password claim retrieval logic, and resolution of specific Range request errors.

Organizations using Roundcube should prioritize this update due to the potential for session hijacking, credential theft, and unauthorized mailbox access that these zero-click XSS vulnerabilities present. Roundcube's advisory strongly recommends updating all production installations and performing a full data backup prior to applying the patch. Administrators managing self-hosted webmail instances, especially those accessible to external users, should treat this update as urgent given the low barrier to exploitation.