3.7
CVE-2026-48847
- EPSS 0.43%
- Veröffentlicht 25.05.2026 19:23:40
- Zuletzt bearbeitet 26.05.2026 19:26:42
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerRoundcube
≫
Produkt
Webmail
Default Statusunaffected
Version
1.6.0
Version <
1.6.16
Status
affected
Version
1.7.0
Version <
1.7.1
Status
affected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.43% | 0.345 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| cve@mitre.org | 3.7 | 2.2 | 1.4 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
|
CWE-669 Incorrect Resource Transfer Between Spheres
The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
https://github.com/roundcube/roundcubemail/releases/tag/1.7.1
https://github.com/roundcube/roundcubemail/releases/tag/1.6.16
https://github.com/roundcube/roundcubemail/commit/a4eb375b98cc3d055de665c34efc729dd8ef272a
https://github.com/roundcube/roundcubemail/commit/703318e6a59515b73b0d8aa2a91e346b02f56baa