This is a security update to the LTS version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

+ Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog [CVE-2026-48849] [bsc#1266337]
+ Security: Fix CSS injection bypass in HTML sanitizer via SVG [CVE-2026-48848] [bsc#1266336]
+ Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass [CVE-2026-48842] [bsc#1266329]
+ Security: Fix SSRF bypass via specific local address URLs [CVE-2026-48843] [bsc#1266331]
+ Security: Fix bypass of remote image blocking via CSS var() [CVE-2026-48846] [bsc#1266334]
+ Security: Fix local/private URL fetch bypass when remote resources were not allowed [CVE-2026-48845] [bsc#1266333]
+ Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass [CVE-2026-48847] [bsc#1266335]
+ Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option [CVE-2026-48844] [bsc#1266332]

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!