Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

CVE-2026-48842 | Mondoo Vulnerability Intelligence

Vulnerability IntelligenceCVE-2026-48842

CVE-2026-48842

HIGH8.1

Roundcube Webmail 1

Published May 25, 2026

Modified 3 days ago

Details

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass.

References

WEB

https://github.com/roundcube/roundcubemail/commit/3406183a9976e36f992d3468f37d0e2346526ee9

WEB

https://github.com/roundcube/roundcubemail/commit/87124cc7136a48b5fa9d2b40dfead6e9dcaeaf4b

WEB

https://github.com/roundcube/roundcubemail/releases/tag/1.6.16

WEB

https://github.com/roundcube/roundcubemail/releases/tag/1.7.1

WEB

https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2026-48842

CVSS Analysis

CVSS v3.1

8.1

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

HighAC:H

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

HighC:H

Integrity

HighI:H

Availability

HighA:H

8.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness Type (CWE)

Injection

CWE-89

SQL Injection

Ecosystems

Timeline

PublishedMay 25, 2026

ModifiedMay 26, 2026