DOC: How to update Roundcube to version 1.6.13 (fixes 2 security vulnerabilities)

sahsanu · February 8, 2026, 10:06pm

Hi,

Today, February 8h, 2026 has been released Roundcube 1.6.13 and it fixes two security vulnerabilities.

Security fixes

Fix CSS injection vulnerability reported by CERT Polska.
Fix remote image blocking bypass via SVG content reported by nullcathedral.

More info about the release:

I’ve created this PR to bump Roundcube version to 1.6.13:

If you want to update Roundcube now, you can do it manually using below steps.

Disclaimer: it should work fine BUT use this procedure at your own risk!

Note: I assume your Roundcube current installed version is 1.6.12.

0.- BACKUP, always backup… just in case

Note: If you use MySQL instead of MariaDB, replace mariadb-dump with mysqldump.

mariadb-dump --defaults-file=/usr/local/hestia/conf/.mysql.localhost --single-transaction --routines -B roundcube > /tmp/roundcube_1.6.12.sql
tar zcf /tmp/roundcube_1.6.12_backup_before_upgrade_1.6.13.tar.gz /etc/roundcube /var/lib/roundcube /tmp/roundcube_1.6.12.sql
rm /tmp/roundcube_1.6.12.sql

Now save to another place the backup file located here /tmp/roundcube_1.6.12_backup_before_upgrade_1.6.13.tar.gz

Example:

mv /tmp/roundcube_1.6.12_backup_before_upgrade_1.6.13.tar.gz /backup/

1.- Modify upgrade.conf file so the Roundcube version is 1.6.13 instead of 1.6.12:

sed -E -i "s/^rc_v='1.*/rc_v='1.6.13'/" /usr/local/hestia/install/upgrade/upgrade.conf

2.- Upgrade roundcube using below Hestia’s command. It will detect that roundcube is installed, will detect the new version and will update it:

If you have disabled php functions system and proc_open in PHP CLI, you won’t receive errors but Roundcube won’t update to version 1.6.12, it will remain in version 1.6.11 so to avoid this problem, before continue, remove both functions for your current PHP CLI version. These two commands will remove the functions from your current PHP CLI version (version is detected automatically).

sed -i -E 's/(^disable_functions.*),proc_open(.*$)/\1\2/' /etc/php/$(php -v | head -n1 | grep -o '[0-9]\.[0-9]')/cli/php.ini
sed -i -E 's/(^disable_functions.*),system(.*$)/\1\2/' /etc/php/$(php -v | head -n1 | grep -o '[0-9]\.[0-9]')/cli/php.ini

Now you can proceed with the upgrade;

v-add-sys-roundcube

3.- Update composer packages used by roundcube:

cd /var/lib/roundcube/
COMPOSER_ALLOW_SUPERUSER=1 composer -n update

If composer is not in your path, you should use the full path to composer utility, if you don’t know even whether you have it installed or how to install it, just install it for admin user.

v-add-user-composer admin

If it is not installed, the command will install it for the admin user and if you had it already installed, you will be informed. So, now that it is installed you can update composer packages using the full path to composer.

cd /var/lib/roundcube/
COMPOSER_ALLOW_SUPERUSER=1 /home/admin/.composer/composer -n update

Hope it helps. Take care.

bestperson · February 8, 2026, 11:18pm

Thanks a lot! Everything turned out fine Roundcube Webmail 1.6.13

nu01 · February 10, 2026, 4:14pm

Check your current version as

grep RCMAIL_VERSION /var/lib/roundcube/program/include/iniset.php | cut -d "'" -f 4

dotasense · February 15, 2026, 1:12am

This code return 1.6.11 for my setup.

nu01 · February 15, 2026, 3:49am

Do follow the steps mentioned above, and you can upgrade.

tlozano · February 16, 2026, 9:37am

Gracias / Thank you

T4B · February 18, 2026, 12:50pm

thanks, how can i change this back to how it was before ?

sahsanu:

sed -i -E 's/(^disable_functions.*),proc_open(.*$)/\1\2/' /etc/php/$(php -v | head -n1 | grep -o '[0-9]\.[0-9]')/cli/php.ini
sed -i -E 's/(^disable_functions.*),system(.*$)/\1\2/' /etc/php/$(php -v | head -n1 | grep -o '[0-9]\.[0-9]')/cli/php.ini

sahsanu · February 18, 2026, 1:00pm

sed -i -E 's/(^disable_functions.*)/\1,proc_open,system/' /etc/php/$(php -v | head -n1 | grep -o '[0-9]\.[0-9]')/cli/php.ini

sahsanu · February 24, 2026, 9:37pm

Your admin user is not an Hestia user, use an Hestia user.

AllthetimeintheWorld · February 24, 2026, 9:42pm

root@vmi2724686:/var/lib/roundcube# COMPOSER_ALLOW_SUPERUSER=1 composer -n update
Deprecation Notice: Using ${var} in strings is deprecated, use {$var} instead in /usr/share/php/Symfony/Component/Console/Command/DumpCompletionCommand.php:48
Deprecation Notice: Using ${var} in strings is deprecated, use {$var} instead in /usr/share/php/Symfony/Component/Console/Command/DumpCompletionCommand.php:56
Deprecation Notice: Using ${var} in strings is deprecated, use {$var} instead in /usr/share/php/Composer/Autoload/AutoloadGenerator.php:879
Deprecation Notice: Using ${var} in strings is deprecated, use {$var} instead in /usr/share/php/Composer/Autoload/AutoloadGenerator.php:884
Loading composer repositories with package information
Updating dependencies
Lock file operations: 0 installs, 8 updates, 0 removals

Upgrading dasprid/enum (1.0.6 => 1.0.7)
Upgrading guzzlehttp/guzzle (7.9.3 => 7.10.0)
Upgrading guzzlehttp/promises (2.2.0 => 2.3.0)
Upgrading guzzlehttp/psr7 (2.7.1 => 2.8.0)
Upgrading pear/net_sieve (1.4.7 => 1.4.8)
Upgrading pear/pear-core-minimal (v1.10.16 => v1.10.18)
Upgrading roundcube/plugin-installer (0.3.10 => 0.3.11)
Upgrading symfony/deprecation-contracts (v2.5.4 => v3.6.0)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 0 installs, 1 update, 0 removals
Downloading symfony/deprecation-contracts (v3.6.0)
Upgrading symfony/deprecation-contracts (v2.5.4 => v3.6.0): Extracting archive
Package pear/console_commandline is abandoned, you should avoid using it. No replacement was suggested.
Generating autoload files
4 packages you are using are looking for funding.
Use the composer fund command to find out more!
root@vmi2724686:/var/lib/roundcube# cat /var/lib/roundcube/program/include/iniset.php |grep RCMAIL_VERSION
define(‘RCMAIL_VERSION’, ‘1.6.13’);
root@vmi2724686:/var/lib/roundcube#

Now its show the 1.6.13 version, is it ok?