diff --git a/CHANGELOG.md b/CHANGELOG.md
index b208685c..f297fa34 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,12 @@ CHANGELOG
 In Development
 --------------
 
+This update is a security update addressing [CVE-2017-16651, a vulnerability in Roundcube webmail that allows logged-in users to access files on the local filesystem](https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10).
+
+Mail:
+
+* Update to Roundcube 1.3.3.
+
 Control Panel:
 
 * Fix DNS validation to allow wildcard custom DNS entries to be set.
diff --git a/setup/webmail.sh b/setup/webmail.sh
index 8c30f701..dfaacf8f 100755
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@@ -36,8 +36,8 @@ apt-get purge -qq -y roundcube* #NODOC
 # Install Roundcube from source if it is not already present or if it is out of date.
 # Combine the Roundcube version number with the commit hash of plugins to track
 # whether we have the latest version of everything.
-VERSION=1.3.1
-HASH=d680f2914a0bff5314d8dda618d55937a13d1c5f
+VERSION=1.3.3
+HASH=903a4eb1bfc25e9a08d782a7f98502cddfa579de
 PERSISTENT_LOGIN_VERSION=dc5ca3d3f4415cc41edb2fde533c8a8628a94c76
 HTML5_NOTIFIER_VERSION=4b370e3cd60dabd2f428a26f45b677ad1b7118d5
 CARDDAV_VERSION=2.0.4