CVE-2026-48844

HIGH

Roundcube Webmail - Always-Incorrect Control Flow Implementation

Title source: rule

Description

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)

References (5)

Core 5

Core References

https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1

https://github.com/roundcube/roundcubemail/releases/tag/1.7.1

https://github.com/roundcube/roundcubemail/commit/6a777d7394b763ce9acfce86c1a521e14a02d862

View Patch ZIP pw:eip

https://github.com/roundcube/roundcubemail/releases/tag/1.6.16

https://github.com/roundcube/roundcubemail/commit/ea1798a6fbf060abcc0ba73b2435036bf8016a5a

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0037

EPSS Percentile 28.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-670

Status published

Products (2)

Roundcube/Webmail 1.6.0 - 1.6.16

Roundcube/Webmail 1.7.0 - 1.7.1

Published May 25, 2026

Tracked Since May 26, 2026