Code Injection Vulnerability in Roundcube Webmail by Roundcube
CVE-2026-48844

7.5HIGH

Key Information:

Vendor: Roundcube
Status: Webmail
Vendor: CVE Published:; 25 May 2026

What is CVE-2026-48844?

Roundcube Webmail versions prior to 1.6.16 and 1.7.1 are susceptible to a code injection vulnerability stemming from insecure code evaluation in the LDAP autovalues option. This flaw could potentially allow attackers to execute arbitrary code within the web application. Users are strongly advised to upgrade their installations to the latest versions where this insecure functionality has been addressed.

Affected Version(s)

Webmail 1.6.0 < 1.6.16

Webmail 1.7.0 < 1.7.1

References

https://roundcube.net/news/2026/05/24/security-updates-1....

https://github.com/roundcube/roundcubemail/releases/tag/1...

https://github.com/roundcube/roundcubemail/commit/6a777d7...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2026
Vulnerability Reserved
May 25, 2026

CVE-2026-48844 Data

JSON