CVE-2026-48844 | THREATINT

Description

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)

PUBLISHED Reserved 2026-05-25 | Published 2026-05-25 | Updated 2026-05-26 | Assigner mitre

HIGH: 7.5CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-670 Always-Incorrect Control Flow Implementation

Product status

Default status

unaffected

1.6.0 (semver) before 1.6.16

affected

1.7.0 (semver) before 1.7.1

affected

References

roundcube.net/...026/05/24/security-updates-1.6.16-and-1.7.1

github.com/roundcube/roundcubemail/releases/tag/1.7.1

github.com/...ommit/6a777d7394b763ce9acfce86c1a521e14a02d862

github.com/roundcube/roundcubemail/releases/tag/1.6.16

github.com/...ommit/ea1798a6fbf060abcc0ba73b2435036bf8016a5a

cve.org (CVE-2026-48844)

nvd.nist.gov (CVE-2026-48844)

Download JSON