AI description
CVE-2026-48842 describes a pre-authentication SQL injection vulnerability affecting Roundcube Webmail versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1. The flaw is specifically located within the `virtuser_query` plugin and can be exploited by bypassing a `preg_replace()` backslash escape. This CVE was recently published to the CVE List and added to the NVD dataset on May 25, 2026.
- Description
- Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass.
- Source
- cve@mitre.org
- NVD status
- Deferred
CVSS 3.1
- Type
- Secondary
- Base score
- 8.1
- Impact score
- 5.9
- Exploitability score
- 2.2
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- cve@mitre.org
- CWE-89
- Hype score
- Not currently trending
CVE-2026-48842: 🚨Alert🚨 CVE-2026-48842 (CVSS 8.1) && CVE-2026-48842-CVE-2026-48849:Critical Roundcube Webmail Security Updates Fix Severe Flaws 📊 2.6M+ Services are found on the yearly. 🔗Hunter Link: 👇Query…
@lyrie_ai
8 Jun 2026
49 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
⚠️ Vulnerabilidades en productos Roundcube ❗ CVE-2026-48848 ❗ CVE-2026-48844 ❗ CVE-2026-48842 ➡️ Más info: https://t.co/YJE7XaZV9p https://t.co/SiNDcHSZ7h
@CERTpy
2 Jun 2026
138 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Roundcube 1.6.16 öncesi ve 1.7.1 öncesi sürümleri etkileyen yüksek CVSS skorlu Güvenlik Açıkları duyuruldu. SQL Injection ve RCE riski var. Roundcube sürümünüzü 1.7.1 veya 1.6.16 sürümlerinden birine güncelleyin. CVE: CVE-2026-48842 CVE-2026-48843 CVE-2026-48848
@ridvanyagli
29 May 2026
280 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨Alert🚨 CVE-2026-48842 (CVSS 8.1) && CVE-2026-48842-CVE-2026-48849 :Critical Roundcube Webmail Security Updates Fix Severe Flaws 📊 2.6M+ Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/BZe1fAjhlA 👇Query HUNTER : https://t
@HunterMapping
29 May 2026
4824 Impressions
16 Retweets
71 Likes
33 Bookmarks
0 Replies
1 Quote
NEW THREAT INTEL: Roundcube pre-auth SQLi CVE-2026-48842 (8.1) - preg_replace bypass on cPanel/Plesk. Patch 1.6.16/1.7.1. https://t.co/sbGDi4V5d6 #ThreatIntel #SQLi https://t.co/Q8ovD0ZcAR
@threadlinqs
28 May 2026
84 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️⚠️ CVE-2026-48842 (CVSS 8.1) + CVE-2026-48844 (CVSS 7.5): Pre-auth SQLi in Roundcube virtuser_query plugin; patch to 1.6.16 / 1.7.1. 🔗FOFA Link: https://t.co/rcDbcVQvxt 🎯1.1M+ Results are found on https://t.co/NBEEGu7ePJ in the past year. FOFA Query: app="Roundcub
@fofabot
28 May 2026
10733 Impressions
29 Retweets
130 Likes
73 Bookmarks
1 Reply
0 Quotes
Roundcube Webmailに深刻な脆弱性。CVE-2026-48842はCVSSスコア8.1のSQLインジェクション。preg_replaceでのバックスラッシュエスケープの回避に起因。CVE-2026-48844はCVSSスコア7.5で、LDAP autovalueからのコードインジェクション
@__kokumoto
28 May 2026
772 Impressions
1 Retweet
6 Likes
2 Bookmarks
0 Replies
0 Quotes