Roundcube Webmail HTML sanitisation bypass via SVG document permitting CSS injection

cve · CVE-2026-48848

Coverage timeline

first 2026-05-28 → last 2026-05-28

Briefs

1 distinct

Sources cited

6 hosts

Sections touched

trending_vulns

Co-occurring entities

see Related entities below

Story timeline

2026-05-28CTI Daily Brief — 2026-05-28
trending_vulnsFirst coverage. HIGH severity. Companion to CVE-2026-48842.

Where this entity is cited

trending_vulns1

Source distribution

heise.de1 (17%)
roundcube.net1 (17%)
security-hub.ncsc.admin.ch1 (17%)
microsoft.com1 (17%)
thehackernews.com1 (17%)
welivesecurity.com1 (17%)

Related entities

Roundcube Webmail code injection via LDAP autovalues option — arbitrary PHP eval
cveCVE-2026-48844×1
Roundcube Webmail CSS sanitisation failure via SVG animate attributeName=style — info disclosure / SSRF in HTML email rendering
cveCVE-2026-48843×1
Roundcube Webmail pre-auth SQL injection in virtuser_query plugin (preg_replace backslash escape bypass)
cveCVE-2026-48842×1

External references

NVD · cve.org · CISA KEV

All cited sources (6)

Items in briefs about Roundcube Webmail HTML sanitisation bypass via SVG document permitting CSS injection (1)

CVE-2026-48842 — Roundcube Webmail pre-authentication SQL injection in `virtuser_query` plugin (CVSS 8.1)

From CTI Daily Brief — 2026-05-28 · published 2026-05-28 · view item permalink →

The Roundcube Project shipped 1.6.16 (LTS) and 1.7.1 on 2026-05-24 patching a pre-authentication SQL-injection in the virtuser_query plugin: an unauthenticated network attacker can inject arbitrary SQL through the plugin's login-time virtual-user lookup when the plugin is enabled (Roundcube Project, 2026-05-24; NCSC Switzerland, 2026-05-27; Heise Security, 2026-05-27). Companion fixes in the same release: CVE-2026-48844 (HIGH — code injection in the LDAP autovalues option when configured; PHP-eval-class flaw), CVE-2026-48843 (HIGH — CSS-sanitisation bypass in HTML email via SVG animate attributeName="style" that can leak data through SSRF or disclose server-side information), and CVE-2026-48848 (HIGH — HTML-sanitisation bypass permitting CSS injection via a crafted SVG document). Branches 1.5.x and earlier are EOL and do not receive patches. Roundcube is the dominant self-hosted webmail across European public administrations, ISPs and academia — NCSC Switzerland flagged the cluster as requiring prompt action.