CVE-2026-48844: Code Injection
Published May 25, 2026
·Updated
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)
Affected Software
1 affected component
Roundcube Roundcube Webmail<1.6.16, <1.7.1
Event History
May 25, 2026
CVE Published
via MITRE·07:14 PM
Data Sourced
via MITRE·07:14 PM
DescriptionSeverityWeakness
Frequently Asked Questions
1
What is the severity of CVE-2026-48844?
The severity of CVE-2026-48844 is classified as high with a score of 7.5.
2
What is CVE-2026-48844 regarding Roundcube Webmail?
CVE-2026-48844 refers to insecure code evaluation logic in LDAP in Roundcube Webmail that may allow for code injection.
3
How can I fix CVE-2026-48844?
To fix CVE-2026-48844, upgrade to Roundcube Webmail version 1.6.16 or 1.7.1 or later.
4
What versions of Roundcube Webmail are affected by CVE-2026-48844?
Versions of Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 are affected by CVE-2026-48844.
5
What vulnerabilities are associated with CVE-2026-48844?
CVE-2026-48844 is associated with code injection vulnerabilities due to insecure code evaluation in LDAP.