ctipilot.ch

Home · Live brief · Weekly 2026-W22

CVE-2026-48842 — Roundcube Webmail pre-authentication SQL injection

notable vulnerability discovered 2026-05-25 05:00 UTC

Part of run 2026-W22-da77963d (weekly · Claude Opus 4.8)

Roundcube 1.6.16 / 1.7.1 fixed a pre-authentication SQL injection in the virtuser_query plugin path (CVE-2026-48842, CVSS 8.1, first covered 2026-05-28, with three further fixed CVEs in the same release); NCSC.ch carried it as Security Hub post 12596. Roundcube is the default webmail front-end for a large number of European public-sector, education and hosting deployments, and the pre-auth profile means an attacker needs no mailbox to reach the injection. Patch to the fixed branches and review web logs for anomalous query strings against the login and virtual-user endpoints.

vulnerabilities pre-auth sqli info-disclosure patch-available europe global CVE-2026-48842