CVE-2026-48847
Received
Received - Intake
Arbitrary File Deletion in Roundcube Webmail
Publication date: 2026-05-25
Last updated on: 2026-05-25
Assigner: MITRE
Description
Description
Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| roundcube | roundcube | to 1.6.16 (exc) |
| roundcube | roundcube | to 1.7.1 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-669 | The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Roundcube Webmail versions 1.6.x before 1.6.16 and 1.7.x before 1.7.1. It allows an attacker to delete arbitrary files without authentication by exploiting a session poisoning technique involving redis or memcache.
How can this vulnerability impact me? :
The impact of this vulnerability is limited to availability since it allows arbitrary file deletion. An attacker could delete important files, potentially disrupting the normal operation of the Roundcube Webmail service.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70