We use a modified version of the Roundcube webmail framework (modified for our security and encryption requirements). We operate under a best practices and future-proofing policy. We write our own plugins with security first, but we also use some open source plugins. We review all open source plugins used. Here are the things we have found and fixed during these code reviews. Note: These are in markdown, but we do not render it.

Information leakage in the Roundcube twofactor_gauthenticator plugin
SQL Injection & insecure password storage in Roundcube fetchmail plugin