Nixpkgs Security Tracker

Login with GitHub

Details of issue NIXPKGS-2026-0239

NIXPKGS-2026-0239
published on 15 Feb 2026
Permalink CVE-2026-26079
updated 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 3 weeks, 4 days ago
  • @LeSuisse removed package ayatana-webmail 3 weeks ago
  • @LeSuisse accepted 3 weeks ago
  • @LeSuisse published on GitHub 3 weeks ago
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading …

Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.

References

Affected products

Webmail
  • <1.5.13
  • <1.6.13 
Upstream advisory: https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13