CVE-2026-48845
Published May 25, 2026
·Updated
In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message.
Affected Software
1 affected component
Roundcube Roundcube Webmail>=1.6.14<=1.6.16, >=1.7.0<1.7.1
Event History
May 25, 2026
CVE Published
via MITRE·07:18 PM
Data Sourced
via MITRE·07:18 PM
DescriptionSeverityWeakness
Frequently Asked Questions
1
What is the severity of CVE-2026-48845?
The severity of CVE-2026-48845 is medium with a score of 6.5.
2
How do I fix CVE-2026-48845?
To fix CVE-2026-48845, upgrade to Roundcube Webmail version 1.6.16 or 1.7.1.
3
What vulnerabilities are associated with CVE-2026-48845?
CVE-2026-48845 may lead to information disclosure or privilege escalation via HTML email messages.
4
Which versions of Roundcube are affected by CVE-2026-48845?
Roundcube Webmail versions 1.6.14 to 1.6.16 and 1.7.x before 1.7.1 are affected by CVE-2026-48845.
5
What types of attacks are possible due to CVE-2026-48845?
CVE-2026-48845 could allow attackers to potentially exploit remote image blocking issues for local/private URL access.