CVE-2026-48844

Published May 25, 2026

Last updated 3 days ago

CVSS high 7.5
LDAP
Roundcube Webmail

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-48844 describes a vulnerability found in Roundcube Webmail versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1. The flaw originates from insecure code evaluation logic within the LDAP `autovalues` option. This vulnerability could allow an authenticated user to inject and execute arbitrary code, potentially leading to remote code execution on the Roundcube server. To mitigate this issue, support for code evaluation in the LDAP `autovalues` option has been removed in Roundcube Webmail versions 1.6.16 and 1.7.1.

Description
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)
Source
cve@mitre.org
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
5.9
Exploitability score
1.6
Vector string
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

cve@mitre.org
CWE-670

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

16

  1. Roundcube 1.6.16 öncesi ve 1.7.1 öncesi sürümleri etkileyen yüksek CVSS skorlu Güvenlik Açıkları duyuruldu. SQL Injection ve RCE riski var. Roundcube sürümünüzü 1.7.1 veya 1.6.16 sürümlerinden birine güncelleyin. CVE: CVE-2026-48842 CVE-2026-48843 CVE-2026-48848

    @ridvanyagli

    29 May 2026

    213 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. ⚠️⚠️ CVE-2026-48842 (CVSS 8.1) + CVE-2026-48844 (CVSS 7.5): Pre-auth SQLi in Roundcube virtuser_query plugin; patch to 1.6.16 / 1.7.1. 🔗FOFA Link: https://t.co/rcDbcVQvxt 🎯1.1M+ Results are found on https://t.co/NBEEGu7ePJ in the past year. FOFA Query: app="Roundcub

    @fofabot

    28 May 2026

    10733 Impressions

    29 Retweets

    130 Likes

    73 Bookmarks

    1 Reply

    0 Quotes

  3. Roundcube Webmailに深刻な脆弱性。CVE-2026-48842はCVSSスコア8.1のSQLインジェクション。preg_replaceでのバックスラッシュエスケープの回避に起因。CVE-2026-48844はCVSSスコア7.5で、LDAP autovalueからのコードインジェクション

    @__kokumoto

    28 May 2026

    772 Impressions

    1 Retweet

    6 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

Related CVEs

  1. Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass.CVE-2026-48842
  2. RoundCube Webmail Cross-site Scripting VulnerabilityCVE-2025-68461
  3. RoundCube Webmail Deserialization of Untrusted Data VulnerabilityCVE-2025-49113
  4. Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution VulnerabilityCVE-2024-49112

References

Sources include official advisories and independent security research.