Threat Intelligence / CVE / CVE-2026-48844

CVE-2026-48844

CVSS 7.5 (HIGH) · EPSS 0.0% · Published 2026-05-25

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)

CVSS v3 vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-670

Threats tracking this CVE

Roundcube Webmail Pre-Auth SQL Injection in virtuser_query Plugin (CVE-2026-48842) — Patched in 1.6.16 / 1.7.1 Alongside 7 Other Vulnerabilities — HIGH

References

https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
https://github.com/roundcube/roundcubemail/releases/tag/1.7.1
https://github.com/roundcube/roundcubemail/commit/6a777d7394b763ce9acfce86c1a521e14a02d862
https://github.com/roundcube/roundcubemail/releases/tag/1.6.16
https://github.com/roundcube/roundcubemail/commit/ea1798a6fbf060abcc0ba73b2435036bf8016a5a

Full detection coverage & IOCs for threats exploiting CVE-2026-48844 are available via the Threadlinqs MCP server (Purple tier). View plans →

Markdown version · Threadlinqs Intelligence