Pre-authentication SQL Injection Vulnerability in Roundcube Webmail by Roundcube
CVE-2026-48842

8.1HIGH

Key Information:

Vendor: Roundcube
Status: Webmail
Vendor: CVE Published:; 25 May 2026

What is CVE-2026-48842?

The Roundcube Webmail application versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1 contain a pre-authentication SQL injection vulnerability in the virtuser_query plugin. This issue arises from a bypass of backslash escape sequences in the preg_replace() function, which may allow an attacker to execute arbitrary SQL commands. This vulnerability underscores the importance of keeping web applications updated to mitigate risks associated with SQL injection attacks, protecting user data and maintaining application integrity.

Affected Version(s)

Webmail 1.6.0 < 1.6.16

Webmail 1.7.0 < 1.7.1

References

https://roundcube.net/news/2026/05/24/security-updates-1....

https://github.com/roundcube/roundcubemail/releases/tag/1...

https://github.com/roundcube/roundcubemail/commit/3406183...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2026
Vulnerability Reserved
May 25, 2026

CVE-2026-48842 Data

JSON