What is the CVSS score of CVE-2026-48844?

CVE-2026-48844 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Roundcube Webmail are affected by CVE-2026-48844?

Roundcube Webmail versions 1.6.x and 1.7.x contain a code injection vulnerability allowing authenticated attackers to execute arbitrary PHP code, potentially compromising email systems and sensitive…. A patch is available.

How to fix or mitigate CVE-2026-48844?

24 hours: Inventory all Roundcube instances and identify those running 1.6.x (before 1.6.16) or 1.7.x (before 1.7.1). 7 days: Begin deploying vendor patches-upgrade 1.6.x branch to 1.6.16 or later, and 1.7.x branch to 1.7.1 or later. 30 days: Complete patching of all affected Roundcube installations.

Roundcube Webmail CVE-2026-48844

EUVD-2026-31717 HIGH

Always-Incorrect Control Flow Implementation (CWE-670)

2026-05-25 mitre

GHSA-qhxr-pc4x-jrq3

Code Injection Webmail

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

SUSE

HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

Jun 08, 2026 - 10:26 vuln.today

Analysis Generated

Jun 08, 2026 - 10:26 vuln.today

Patch available

May 26, 2026 - 14:01 EUVD

DescriptionCVE.org

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)

AnalysisAI

Code injection in Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 allows authenticated attackers to execute arbitrary PHP via the LDAP autovalues option, which previously evaluated user-influenced expressions as code. The upstream maintainers removed code evaluation support entirely in the fixed releases. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to Roundcube webmail

Delivery

Reach LDAP address book feature

Exploit

Submit input expanding via autovalues template

Execution

Evaluator executes attacker-controlled PHP

Persist

Code runs as webmail process user

Impact

Pivot to mail data or host

Access

Authenticate to Roundcube webmail

Delivery

Reach LDAP address book feature

Exploit

Submit input expanding via autovalues template

Execution

Evaluator executes attacker-controlled PHP

Persist

Code runs as webmail process user

Impact

Pivot to mail data or host

Vulnerability AssessmentAI

Exploitation	Requires a Roundcube deployment where the LDAP address book is enabled AND the administrator configured the autovalues option using templated expressions (the feature whose evaluation path was removed in 1.6.16/1.7.1). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals are mixed and lean toward moderate, not critical. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with a valid Roundcube mail account on a server whose administrators configured the LDAP address book with autovalues templates crafts contact or address-book input that, when expanded by the autovalues evaluator, yields PHP code; submitting the input through the address book causes the Roundcube backend to evaluate that code, granting arbitrary code execution under the webmail user. No public exploit is identified at time of analysis, but the patch commits themselves reveal the vulnerable evaluation pattern to anyone reviewing the diff.
Remediation	Vendor-released patch: upgrade to Roundcube Webmail 1.6.16 (for the 1.6.x branch) or 1.7.1 (for the 1.7.x branch), both published 2026-05-24 - these releases remove code evaluation support from the LDAP autovalues option entirely, per commits 6a777d7394b763ce9acfce86c1a521e14a02d862 and ea1798a6fbf060abcc0ba73b2435036bf8016a5a. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Roundcube instances and identify those running 1.6.x (before 1.6.16) or 1.7.x (before 1.7.1). …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High

Product	Status
openSUSE Leap 16.0	Fixed
openSUSE Tumbleweed	Fixed

CVE-2026-48844 vulnerability details – vuln.today

Back

Roundcube Webmail CVE-2026-48844

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code