CVE-2026-48844
Deferred
Deferred - Pending Action
Code Injection in Roundcube Webmail via LDAP Autovalues
Vulnerability report for CVE-2026-48844, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-05-25
Last updated on: 2026-05-25
Assigner: MITRE
Description
Description
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| roundcube | roundcube | to 1.6.16 (exc) |
| roundcube | roundcube | to 1.7.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-670 | The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. |