7.5
CVE-2026-48844
- EPSS 0.41%
- Veröffentlicht 25.05.2026 19:14:48
- Zuletzt bearbeitet 26.05.2026 19:26:42
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerRoundcube
≫
Produkt
Webmail
Default Statusunaffected
Version
1.6.0
Version <
1.6.16
Status
affected
Version
1.7.0
Version <
1.7.1
Status
affected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.41% | 0.33 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| cve@mitre.org | 7.5 | 1.6 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-670 Always-Incorrect Control Flow Implementation
The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
https://github.com/roundcube/roundcubemail/releases/tag/1.7.1
https://github.com/roundcube/roundcubemail/releases/tag/1.6.16
https://github.com/roundcube/roundcubemail/commit/6a777d7394b763ce9acfce86c1a521e14a02d862
https://github.com/roundcube/roundcubemail/commit/ea1798a6fbf060abcc0ba73b2435036bf8016a5a