ctipilot.ch

Roundcube Webmail pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass; CVSS 8.1; patched in 1.6.16 LTS / 1.7.1

cve · CVE-2026-48842

Coverage timeline
2
first 2026-05-25 → last 2026-05-31
Peak priority
high
1 high · 1 notable
Sources cited
3
3 hosts
Sections touched
2
trending-vulnerabilities, weekly-vuln-rollup
Co-occurring entities
3
see Related entities below
ATT&CK techniques
0
no mapped behavior yet

Story timeline

  1. 2026-05-28CVE-2026-48842 — Roundcube Webmail pre-authentication SQL injection in virtuser_query plugin (CVSS 8.1)
    trending-vulnerabilities
  2. 2026-05-25CVE-2026-48842 — Roundcube Webmail pre-authentication SQL injection
    weekly-vuln-rollup

Where this entity is cited

  • weekly-vuln-rollup1
  • trending-vulnerabilities1

Source distribution

  • heise.de1 (33%)
  • roundcube.net1 (33%)
  • security-hub.ncsc.admin.ch1 (33%)

Co-occurring entities

Derived — referenced by the same entries; ×N counts the shared entries.

Entries about Roundcube Webmail pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass; CVSS 8.1; patched in 1.6.16 LTS / 1.7.1 (2)

2026-05-28 · view entry permalink →

CVE-2026-48842 — Roundcube Webmail pre-authentication SQL injection in virtuser_query plugin (CVSS 8.1)

The Roundcube Project shipped 1.6.16 (LTS) and 1.7.1 on 2026-05-24 patching a pre-authentication SQL-injection in the virtuser_query plugin: an unauthenticated network attacker can inject arbitrary SQL through the plugin's login-time virtual-user lookup when the plugin is enabled (Roundcube Project, 2026-05-24; NCSC Switzerland, 2026-05-27; Heise Security, 2026-05-27). Companion fixes in the same release: CVE-2026-48844 (HIGH — code injection in the LDAP autovalues option when configured; PHP-eval-class flaw), CVE-2026-48843 (HIGH — CSS-sanitisation bypass in HTML email via SVG animate attributeName="style" that can leak data through SSRF or disclose server-side information), and CVE-2026-48848 (HIGH — HTML-sanitisation bypass permitting CSS injection via a crafted SVG document). Branches 1.5.x and earlier are EOL and do not receive patches. Roundcube is the dominant self-hosted webmail across European public administrations, ISPs and academia — NCSC Switzerland flagged the cluster as requiring prompt action.

vulnerability28 May 05:00Zmulti-sourceOpen finding ↗

2026-05-25 · view entry permalink →

CVE-2026-48842 — Roundcube Webmail pre-authentication SQL injection

Roundcube 1.6.16 / 1.7.1 fixed a pre-authentication SQL injection in the virtuser_query plugin path (CVE-2026-48842, CVSS 8.1, first covered 2026-05-28, with three further fixed CVEs in the same release); NCSC.ch carried it as Security Hub post 12596. Roundcube is the default webmail front-end for a large number of European public-sector, education and hosting deployments, and the pre-auth profile means an attacker needs no mailbox to reach the injection. Patch to the fixed branches and review web logs for anomalous query strings against the login and virtual-user endpoints.

vulnerability25 May 05:00Zmulti-sourceOpen finding ↗