CVE-2026-48844
published 2026-05-25CVE-2026-48844: Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code…
PriorityP346high7.5CVSS 3.1
AVNACHPRLUINSUCHIHAH
EPSS
0.41%
33.1th percentile
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| roundcube | webmail | >= 1.6.0 < 1.6.16 | 1.6.16 |
| roundcube | webmail | >= 1.7.0 < 1.7.1 | 1.7.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
cvelistv5v3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qhxr-pc4x-jrq3: Roundcube Webmail 1
ghsa_unreviewed·2026-05-26
CVE-2026-48844 [HIGH] CWE-670 GHSA-qhxr-pc4x-jrq3: Roundcube Webmail 1
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)
CVEList
CVE-2026-48844: Roundcube Webmail 1
cvelistv5·2026-05-25·CVSS 7.5
CVE-2026-48844 [HIGH] CWE-670 CVE-2026-48844: Roundcube Webmail 1
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)
VulDB
Roundcube Webmail up to 1.6.15/1.7.0 LDAP control flow
vuldb·2026-05-25
CVE-2026-48844 [LOW] Roundcube Webmail up to 1.6.15/1.7.0 LDAP control flow
A vulnerability marked as problematic has been reported in Roundcube Webmail up to 1.6.15/1.7.0. Affected is an unknown function of the component LDAP. This manipulation causes incorrect control flow.
This vulnerability is handled as CVE-2026-48844. The attack can be initiated remotely. There is not any exploit available.
It is suggested to upgrade the affected component.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-48844 roundcubemail: code injection via insecure LDAP autovalues option [epel-all]
bugzilla·2026-05-26·CVSS 7.5
CVE-2026-48844 [HIGH] CVE-2026-48844 roundcubemail: code injection via insecure LDAP autovalues option [epel-all]
CVE-2026-48844 roundcubemail: code injection via insecure LDAP autovalues option [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48844 roundcubemail: code injection via insecure LDAP autovalues option [fedora-all]
bugzilla·2026-05-26·CVSS 7.5
CVE-2026-48844 [HIGH] CVE-2026-48844 roundcubemail: code injection via insecure LDAP autovalues option [fedora-all]
CVE-2026-48844 roundcubemail: code injection via insecure LDAP autovalues option [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48844 roundcubemail: code injection via insecure LDAP autovalues option
bugzilla·2026-05-25·CVSS 7.5
CVE-2026-48844 [HIGH] CVE-2026-48844 roundcubemail: code injection via insecure LDAP autovalues option
CVE-2026-48844 roundcubemail: code injection via insecure LDAP autovalues option
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)
https://github.com/roundcube/roundcubemail/commit/6a777d7394b763ce9acfce86c1a521e14a02d862https://github.com/roundcube/roundcubemail/commit/ea1798a6fbf060abcc0ba73b2435036bf8016a5ahttps://github.com/roundcube/roundcubemail/releases/tag/1.6.16https://github.com/roundcube/roundcubemail/releases/tag/1.7.1https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
2026-05-25
Published