We use a modified version of the Roundcube webmail framework that has essentially become our own version. We have posted some of the issues we corrected that we consider to be more serious within Roundcube. We operate under a best practices and future-proofing policy, meaning we patch what we consider a potential vulnerability rather than being reactive. We code with security first and we build a lot off open source. We review all open source frameworks and plugins used. Here are the things we have found and fixed.

Unserialize vulnerabilites in Roundcube
Information leakage in the Roundcube twofactor_gauthenticator plugin
SQL Injection & insecure password storage in Roundcube fetchmail plugin
Thunderbird Labels plugin vulnerability report
Roundcube template eval() vulnerability report