CVE-2021-46144: Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences. https://roundcube.net/news/2021/12/30/update-1.5.2-released https://roundcube.net/news/2021/12/30/security-update-1.4.13-released Please bump to 1.4.13 and cleanup the 1.5.x versions.