CVE-2026-48844

Summary

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)

Affected Software

VendorProductVersion RangeStatus
RoundcubeWebmail1.6.0 < 1.6.16affected
RoundcubeWebmail1.7.0 < 1.7.1affected

Weaknesses

  • CWE-670: CWE-670 Always-Incorrect Control Flow Implementation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References