The headline bug sits in the virtuser_query plugin: a backslash slips past a preg_replace filter and lets an attacker run SQL before authenticating. That's the one to worry about. The rest of the batch is a grab-bag of sanitizer escapes — stored XSS in the draft-restore subject field, a CSS-injection bypass through SVG `<animate attributeName="style">`, and a remote-image block that `var()` walks straight through. Two more deserve a flag: a session-poisoning path that can trigger pre-auth file deletion when sessions are cached in Redis or memcache, plus a code-injection hole in the LDAP autovalues option. The advisory carries no CVE IDs yet. If you self-host on the 1.6.x or 1.7.x line, treat this as patch-now — a pre-auth SQLi on a public webmail login is precisely what gets mass-scanned, and the project's own wording is a blunt "strongly recommend."