CVE-2026-48842 — Roundcube Webmail pre-authentication SQL injection

Roundcube 1.6.16 / 1.7.1 fixed a pre-authentication SQL injection in the virtuser_query plugin path (CVE-2026-48842, CVSS 8.1, first covered 2026-05-28, with three further fixed CVEs in the same release); NCSC.ch carried it as Security Hub post 12596. Roundcube is the default webmail front-end for a large number of European public-sector, education and hosting deployments, and the pre-auth profile means an attacker needs no mailbox to reach the injection. Patch to the fixed branches and review web logs for anomalous query strings against the login and virtual-user endpoints.