Threat Intelligence / CVE / CVE-2026-48848

CVE-2026-48848

CVSS 7.2 (HIGH) · EPSS 0.0% · Published 2026-05-25

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.

CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Weaknesses (CWE)

CWE-79

Threats tracking this CVE

Roundcube Webmail Pre-Auth SQL Injection in virtuser_query Plugin (CVE-2026-48842) — Patched in 1.6.16 / 1.7.1 Alongside 7 Other Vulnerabilities — HIGH

References

https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
https://github.com/roundcube/roundcubemail/releases/tag/1.7.1
https://github.com/roundcube/roundcubemail/commit/c960d102472dc579e15907d5bcdc3103a090ccf9
https://github.com/roundcube/roundcubemail/releases/tag/1.6.16
https://github.com/roundcube/roundcubemail/commit/58e5263f341e6a418774fb6d2643669a3c4d8a27

Full detection coverage & IOCs for threats exploiting CVE-2026-48848 are available via the Threadlinqs MCP server (Purple tier). View plans →

Markdown version · Threadlinqs Intelligence