diff --git a/roundcubemail.spec b/roundcubemail.spec
index badf520..2c0fbae 100644
--- a/roundcubemail.spec
+++ b/roundcubemail.spec
@@ -2,7 +2,7 @@
 %global _logdir /var/log  
 Name: roundcubemail
 Version:  1.0.4
-Release:  1%{?dist}
+Release:  2%{?dist}
 Summary: Round Cube Webmail is a browser-based multilingual IMAP client
 
 Group: Applications/System
@@ -99,6 +99,11 @@ sed -i 's/\r//' SQL/mssql.initial.sql
 # Drop precompiled flash
 find . -type f -name '*.swf' | xargs rm -f
 
+# Wipe bbcode plugin from bundled TinyMCE to make doubleplus sure we cannot
+# be vulnerable to CVE-2012-4230, unaddressed upstream
+echo "CVE-2012-4230: removing tinymce bbcode plugin, check path if this fails."
+test -d program/js/*mce/plugins/bbcode && rm -rf program/js/*mce/plugins/bbcode || exit 1
+
 
 %build
 # Nothing
@@ -172,6 +177,9 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Sat Dec 20 2014 Adam Williamson <awilliam@redhat.com> - 1.0.4-2
+- drop tinymce bbcode plugin for safety (CVE-2012-4230)
+
 * Sat Dec 20 2014 Adam Williamson <awilliam@redhat.com> - 1.0.4-1
 - new release 1.0.4 (security update)