CVE-2026-48842

Published May 25, 2026

Last updated 3 days ago

CVSS high 8.1
Roundcube Webmail

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-48842 describes a pre-authentication SQL injection vulnerability affecting Roundcube Webmail versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1. The flaw is specifically located within the `virtuser_query` plugin and can be exploited by bypassing a `preg_replace()` backslash escape. This CVE was recently published to the CVE List and added to the NVD dataset on May 25, 2026.

Description
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass.
Source
cve@mitre.org
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.1
Impact score
5.9
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

cve@mitre.org
CWE-89

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

19

  1. Roundcube 1.6.16 öncesi ve 1.7.1 öncesi sürümleri etkileyen yüksek CVSS skorlu Güvenlik Açıkları duyuruldu. SQL Injection ve RCE riski var. Roundcube sürümünüzü 1.7.1 veya 1.6.16 sürümlerinden birine güncelleyin. CVE: CVE-2026-48842 CVE-2026-48843 CVE-2026-48848

    @ridvanyagli

    29 May 2026

    213 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨Alert🚨 CVE-2026-48842 (CVSS 8.1) && CVE-2026-48842-CVE-2026-48849 :Critical Roundcube Webmail Security Updates Fix Severe Flaws 📊 2.6M+ Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/BZe1fAjhlA 👇Query HUNTER : https://t

    @HunterMapping

    29 May 2026

    3597 Impressions

    12 Retweets

    56 Likes

    25 Bookmarks

    0 Replies

    1 Quote

  3. NEW THREAT INTEL: Roundcube pre-auth SQLi CVE-2026-48842 (8.1) - preg_replace bypass on cPanel/Plesk. Patch 1.6.16/1.7.1. https://t.co/sbGDi4V5d6 #ThreatIntel #SQLi https://t.co/Q8ovD0ZcAR

    @threadlinqs

    28 May 2026

    84 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. ⚠️⚠️ CVE-2026-48842 (CVSS 8.1) + CVE-2026-48844 (CVSS 7.5): Pre-auth SQLi in Roundcube virtuser_query plugin; patch to 1.6.16 / 1.7.1. 🔗FOFA Link: https://t.co/rcDbcVQvxt 🎯1.1M+ Results are found on https://t.co/NBEEGu7ePJ in the past year. FOFA Query: app="Roundcub

    @fofabot

    28 May 2026

    10733 Impressions

    29 Retweets

    130 Likes

    73 Bookmarks

    1 Reply

    0 Quotes

  5. Roundcube Webmailに深刻な脆弱性。CVE-2026-48842はCVSSスコア8.1のSQLインジェクション。preg_replaceでのバックスラッシュエスケープの回避に起因。CVE-2026-48844はCVSSスコア7.5で、LDAP autovalueからのコードインジェクション

    @__kokumoto

    28 May 2026

    772 Impressions

    1 Retweet

    6 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

Related CVEs

  1. Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)CVE-2026-48844
  2. RoundCube Webmail Cross-site Scripting VulnerabilityCVE-2025-68461
  3. RoundCube Webmail Deserialization of Untrusted Data VulnerabilityCVE-2025-49113

References

Sources include official advisories and independent security research.