CVE-2026-48844
7.5 HIGHRoundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could ...
Published: 2026-05-25 · Last updated: 2026-05-26
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-670
Description
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-48844
- [Other]https://github.com/roundcube/roundcubemail/commit/6a777d7394b763ce9acfce86c1a521e14a02d862
- [Other]https://github.com/roundcube/roundcubemail/commit/ea1798a6fbf060abcc0ba73b2435036bf8016a5a
- [Other]https://github.com/roundcube/roundcubemail/releases/tag/1.6.16
- [Other]https://github.com/roundcube/roundcubemail/releases/tag/1.7.1
- [Other]https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
Related CVEs
Same CWE
- CVE-2026-12321 — JIT miscompilation in the JavaScript: WebAssembly component (5.4 MEDIUM)
- CVE-2026-20171 — A vulnerability in the Border Gateway Protocol (BGP) enforce-first-as feature of Cisco Nexus 3000 Series Switches and Cisco Nex... (6.8 MEDIUM)
- CVE-2026-38361 — Multiple unauthenticated denial-of-service (DoS) issues in fohrloop dash-uploader v0.1.0 through v0.7.0a2 (7.5 HIGH)