The Roundcube Project shipped 1.6.16 (LTS) and 1.7.1 on 2026-05-24 patching a pre-authentication SQL-injection in the virtuser_query plugin: an unauthenticated network attacker can inject arbitrary SQL through the plugin's login-time virtual-user lookup when the plugin is enabled (Roundcube Project, 2026-05-24; NCSC Switzerland, 2026-05-27; Heise Security, 2026-05-27). Companion fixes in the same release: CVE-2026-48844 (HIGH — code injection in the LDAP autovalues option when configured; PHP-eval-class flaw), CVE-2026-48843 (HIGH — CSS-sanitisation bypass in HTML email via SVG animate attributeName="style" that can leak data through SSRF or disclose server-side information), and CVE-2026-48848 (HIGH — HTML-sanitisation bypass permitting CSS injection via a crafted SVG document). Branches 1.5.x and earlier are EOL and do not receive patches. Roundcube is the dominant self-hosted webmail across European public administrations, ISPs and academia — NCSC Switzerland flagged the cluster as requiring prompt action.
Roundcube 1.6.16 / 1.7.1 fixed a pre-authentication SQL injection in the virtuser_query plugin path (CVE-2026-48842, CVSS 8.1, first covered 2026-05-28, with three further fixed CVEs in the same release); NCSC.ch carried it as Security Hub post 12596. Roundcube is the default webmail front-end for a large number of European public-sector, education and hosting deployments, and the pre-auth profile means an attacker needs no mailbox to reach the injection. Patch to the fixed branches and review web logs for anomalous query strings against the login and virtual-user endpoints.