CVE-2026-48844_CVE-2026-48844

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)

Basic Information

ID CVE-2026-48844

Source mitre

Published May 25, 2026 at 19:14

Affected Product

Vendor Roundcube

Product Webmail

Version 1.6.0

Affected Versions Roundcube Webmail 1.6.0
Roundcube Webmail 1.7.0

CWE Classification

CWE-670

References

{
    "lastseen": "",
    "description": "Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)",
    "published": "2026-05-25T19:14:48.753Z",
    "modified": "2026-05-25T19:14:48.753Z",
    "type": "cve",
    "title": "CVE-2026-48844",
    "source": "mitre",
    "references": "https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1\nhttps://github.com/roundcube/roundcubemail/releases/tag/1.7.1\nhttps://github.com/roundcube/roundcubemail/commit/6a777d7394b763ce9acfce86c1a521e14a02d862\nhttps://github.com/roundcube/roundcubemail/releases/tag/1.6.16\nhttps://github.com/roundcube/roundcubemail/commit/ea1798a6fbf060abcc0ba73b2435036bf8016a5a",
    "id": "CVE-2026-48844",
    "bulletinFamily": "",
    "cwe": [
        "CWE-670"
    ],
    "cvelist": null,
    "sourceData": "Roundcube Webmail 1.6.0\nRoundcube Webmail 1.7.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Webmail",
    "version": "1.6.0",
    "vendor": "Roundcube",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}