CVE-2026-48842 HIGH

CVE-2026-48842

Vendor Roundcube

Product Webmail

Weakness CWE-89 · SQLi

Published May 25, 2026

Last update June 3, 2026

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass.

Key dates

02Disclosure timeline

May 25, 2026 CVE published

June 3, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-48842 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities

04Related CVE

CVE-2024-3561 Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) SQL Injection via Term Custom Field CVE-2023-1091 SQL Injection found in ALPATA's Licensed Warehousing Automation System CVE-2025-4361 PHPGurukul Company Visitor Management System department.php sql injection CVE-2024-2386 WordPress Plugin for Google Maps – WP MAPS <= 4.6.1 - Authenticated (Contributor+) SQL Injection CVE-2025-10387 codesiddhant Jasmin Ransomware handshake.php sql injection

Identifiers

CVE CVE-2026-48842

CWE CWE-89

CVSS 8.1 / HIGH

Affected versions

Vendor Roundcube

Product Webmail

Affected ≥ 1.6.0 and < 1.6.16

Vendor Roundcube

Product Webmail

Affected ≥ 1.7.0 and < 1.7.1