CVE-2026-48842

Published May 25, 2026

Last updated a month ago

CVSS high 8.1
Roundcube Webmail

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-48842 describes a pre-authentication SQL injection vulnerability affecting Roundcube Webmail versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1. The flaw is specifically located within the `virtuser_query` plugin and can be exploited by bypassing a `preg_replace()` backslash escape. This CVE was recently published to the CVE List and added to the NVD dataset on May 25, 2026.

Description
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass.
Source
cve@mitre.org
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.1
Impact score
5.9
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

cve@mitre.org
CWE-89

Social media

Hype score
Not currently trending
  1. CVE-2026-48842: 🚨Alert🚨 CVE-2026-48842 (CVSS 8.1) && CVE-2026-48842-CVE-2026-48849:Critical Roundcube Webmail Security Updates Fix Severe Flaws 📊 2.6M+ Services are found on the yearly. 🔗Hunter Link: 👇Query…

    @lyrie_ai

    8 Jun 2026

    49 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. ⚠️ Vulnerabilidades en productos Roundcube ❗ CVE-2026-48848 ❗ CVE-2026-48844 ❗ CVE-2026-48842 ➡️ Más info: https://t.co/YJE7XaZV9p https://t.co/SiNDcHSZ7h

    @CERTpy

    2 Jun 2026

    138 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Roundcube 1.6.16 öncesi ve 1.7.1 öncesi sürümleri etkileyen yüksek CVSS skorlu Güvenlik Açıkları duyuruldu. SQL Injection ve RCE riski var. Roundcube sürümünüzü 1.7.1 veya 1.6.16 sürümlerinden birine güncelleyin. CVE: CVE-2026-48842 CVE-2026-48843 CVE-2026-48848

    @ridvanyagli

    29 May 2026

    280 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨Alert🚨 CVE-2026-48842 (CVSS 8.1) && CVE-2026-48842-CVE-2026-48849 :Critical Roundcube Webmail Security Updates Fix Severe Flaws 📊 2.6M+ Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/BZe1fAjhlA 👇Query HUNTER : https://t

    @HunterMapping

    29 May 2026

    4824 Impressions

    16 Retweets

    71 Likes

    33 Bookmarks

    0 Replies

    1 Quote

  5. NEW THREAT INTEL: Roundcube pre-auth SQLi CVE-2026-48842 (8.1) - preg_replace bypass on cPanel/Plesk. Patch 1.6.16/1.7.1. https://t.co/sbGDi4V5d6 #ThreatIntel #SQLi https://t.co/Q8ovD0ZcAR

    @threadlinqs

    28 May 2026

    84 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. ⚠️⚠️ CVE-2026-48842 (CVSS 8.1) + CVE-2026-48844 (CVSS 7.5): Pre-auth SQLi in Roundcube virtuser_query plugin; patch to 1.6.16 / 1.7.1. 🔗FOFA Link: https://t.co/rcDbcVQvxt 🎯1.1M+ Results are found on https://t.co/NBEEGu7ePJ in the past year. FOFA Query: app="Roundcub

    @fofabot

    28 May 2026

    10733 Impressions

    29 Retweets

    130 Likes

    73 Bookmarks

    1 Reply

    0 Quotes

  7. Roundcube Webmailに深刻な脆弱性。CVE-2026-48842はCVSSスコア8.1のSQLインジェクション。preg_replaceでのバックスラッシュエスケープの回避に起因。CVE-2026-48844はCVSSスコア7.5で、LDAP autovalueからのコードインジェクション

    @__kokumoto

    28 May 2026

    772 Impressions

    1 Retweet

    6 Likes

    2 Bookmarks

    0 Replies

    0 Quotes