ctipilot.ch

Roundcube Webmail HTML sanitisation bypass via SVG document permitting CSS injection; patched in 1.6.16 LTS / 1.7.1

cve · CVE-2026-48848

Coverage timeline
1
first 2026-05-28 → last 2026-05-28
Peak priority
high
1 high
Sources cited
3
3 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
3
see Related entities below
ATT&CK techniques
0
no mapped behavior yet

Story timeline

  1. 2026-05-28CVE-2026-48842 — Roundcube Webmail pre-authentication SQL injection in virtuser_query plugin (CVSS 8.1)
    trending-vulnerabilities

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • heise.de1 (33%)
  • roundcube.net1 (33%)
  • security-hub.ncsc.admin.ch1 (33%)

Co-occurring entities

Derived — referenced by the same entries; ×N counts the shared entries.

Entries about Roundcube Webmail HTML sanitisation bypass via SVG document permitting CSS injection; patched in 1.6.16 LTS / 1.7.1 (1)

2026-05-28 · view entry permalink →

CVE-2026-48842 — Roundcube Webmail pre-authentication SQL injection in virtuser_query plugin (CVSS 8.1)

The Roundcube Project shipped 1.6.16 (LTS) and 1.7.1 on 2026-05-24 patching a pre-authentication SQL-injection in the virtuser_query plugin: an unauthenticated network attacker can inject arbitrary SQL through the plugin's login-time virtual-user lookup when the plugin is enabled (Roundcube Project, 2026-05-24; NCSC Switzerland, 2026-05-27; Heise Security, 2026-05-27). Companion fixes in the same release: CVE-2026-48844 (HIGH — code injection in the LDAP autovalues option when configured; PHP-eval-class flaw), CVE-2026-48843 (HIGH — CSS-sanitisation bypass in HTML email via SVG animate attributeName="style" that can leak data through SSRF or disclose server-side information), and CVE-2026-48848 (HIGH — HTML-sanitisation bypass permitting CSS injection via a crafted SVG document). Branches 1.5.x and earlier are EOL and do not receive patches. Roundcube is the dominant self-hosted webmail across European public administrations, ISPs and academia — NCSC Switzerland flagged the cluster as requiring prompt action.

vulnerability28 May 05:00Zmulti-sourceOpen finding ↗