CVE-2021-44026

CRITICAL KEV

Roundcube < 1.3.17 and 1.4.x < 1.4.12 - SQL Injection via Search Parameters

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-44026 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 22, 2023. EIP tracks 3 public exploits from researchers including pentesttoolscom, skyllpro, shanglyu.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-44026, a SQL injection vulnerability in Roundcube. The exploit leverages CVE-2020-35730 (XSS) to deliver a payload that exfiltrates session data and emails via a Flask-based C2 server.

Description

Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.

Exploits (3)

nomisec WORKING POC 13 stars
by pentesttoolscom · remote
https://github.com/pentesttoolscom/roundcube-cve-2021-44026

This repository contains a functional exploit for CVE-2021-44026, a SQL injection vulnerability in Roundcube. The exploit leverages CVE-2020-35730 (XSS) to deliver a payload that exfiltrates session data and emails via a Flask-based C2 server.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Roundcube Webmail
No auth needed
Prerequisites: Valid SMTP credentials for sending the malicious email · Target must interact with the malicious email · Roundcube instance vulnerable to CVE-2020-35730 and CVE-2021-44026
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by skyllpro · client-side
https://github.com/skyllpro/CVE-2021-44026-PoC

This PoC demonstrates a chained exploit combining XSS and SQLi in Roundcube Webmail to exfiltrate session data. The Python script sends a malicious email with an XSS payload that triggers a SQL injection to extract session variables.

Classification
Working Poc 95%
Attack Type
Xss, Sqli, Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Roundcube Webmail (version not specified)
Auth required
Prerequisites: Valid SMTP credentials for sending email · Target must open the malicious email in Roundcube Webmail · Attacker-controlled C2 server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by shanglyu · client-side
https://github.com/shanglyu/roundcube-cve-2021-44026

This repository contains a functional exploit for CVE-2021-44026, a SQL injection vulnerability in Roundcube. The exploit leverages an XSS (CVE-2020-35730) to deliver a malicious payload that exfiltrates session data and emails from the target's Roundcube instance.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Roundcube
No auth needed
Prerequisites: SMTP server access · valid sender email credentials · target email address
devstral-2 · analyzed May 26, 2026 Full analysis →

References (8)

Core 8
Core References
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2021/dsa-5013
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/12/msg00004.html
Mailing List, Patch x_refsource_misc
https://bugs.debian.org/1000156

Scores

CVSS v3 9.8
EPSS 0.7253
EPSS Percentile 98.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2023-06-22
VulnCheck KEV 2023-06-20
InTheWild.io 2023-06-22
ENISA EUVD EUVD-2021-30885
CWE
CWE-89
Status published
Products (6)
debian/debian_linux 9.0
debian/debian_linux 10.0
debian/debian_linux 11.0
fedoraproject/fedora 33
fedoraproject/fedora 34
roundcube/webmail < 1.3.17
Published Nov 19, 2021
KEV Added Jun 22, 2023
Tracked Since Feb 18, 2026