CVE-2026-48844
BaseFortify
Publication date: 2026-05-25
Last updated on: 2026-05-25
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| roundcube | roundcube | to 1.6.16 (exc) |
| roundcube | roundcube | to 1.7.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-670 | The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Roundcube Webmail to version 1.6.16 or later if you are using the 1.6.x branch, or to version 1.7.1 or later if you are using the 1.7.x branch. These versions have removed support for code evaluation in the LDAP autovalues option, eliminating the insecure code evaluation logic that could lead to code injection.
Can you explain this vulnerability to me?
This vulnerability exists in Roundcube Webmail versions 1.6.x before 1.6.16 and 1.7.x before 1.7.1. It involves insecure code evaluation logic in the LDAP autovalues option, which could allow an attacker to perform code injection. The issue was addressed by removing support for code evaluation in versions 1.6.16 and 1.7.1.
How can this vulnerability impact me? :
The vulnerability can lead to code injection, which means an attacker could execute arbitrary code on the affected system. This can result in a complete compromise of confidentiality, integrity, and availability of the system, potentially allowing unauthorized access, data theft, or disruption of services.