What is the CVSS score of EUVD-2026-31719?

EUVD-2026-31719 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Roundcube Webmail are affected by EUVD-2026-31719?

Roundcube Webmail deployments running versions 1.6.x (prior to 1.6.16) and 1.7.x (prior to 1.7.1) contain an unauthenticated SQL injection vulnerability that bypasses login controls and grants direct…. A patch is available.

How to fix or mitigate EUVD-2026-31719?

Within 24 hours: Inventory all Roundcube Webmail instances and identify those running versions 1.6.x prior to 1.6.16 or 1.7.x prior to 1.7.1; restrict network access to unpatched systems if immediate patching is not feasible. Within 7 days: Upgrade all 1.6.x deployments to version 1.6.16 and all 1.7.x deployments to version 1.7.1; test functionality post-patch in non-production environment first. Within 30 days: Verify patch deployment across all Roundcube instances, review database access logs for exploitation attempts, and validate integrity of user accounts and email data.

Roundcube Webmail EUVD-2026-31719

| CVE-2026-48842 HIGH

SQL Injection (CWE-89)

2026-05-25 mitre

GHSA-vc2v-cxrw-6g4p

SQLi Webmail

8.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.1 HIGH

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

SUSE

HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

Jun 08, 2026 - 10:31 vuln.today

Analysis Generated

Jun 08, 2026 - 10:31 vuln.today

Patch available

May 26, 2026 - 14:01 EUVD

DescriptionCVE.org

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass.

AnalysisAI

Pre-authentication SQL injection in Roundcube Webmail's virtuser_query plugin allows unauthenticated remote attackers to bypass input sanitization through a preg_replace() backslash escape flaw and inject arbitrary SQL against the backing database. Versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1 are affected. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify exposed Roundcube login endpoint

Delivery

Confirm virtuser_query plugin enabled

Exploit

Craft backslash-escape preg_replace bypass payload

Execution

Submit malicious address to trigger SQL injection

Persist

Exfiltrate credential hashes or session data

Impact

Authenticate to mailboxes or pivot into database

Access

Identify exposed Roundcube login endpoint

Delivery

Confirm virtuser_query plugin enabled

Exploit

Craft backslash-escape preg_replace bypass payload

Execution

Submit malicious address to trigger SQL injection

Persist

Exfiltrate credential hashes or session data

Impact

Authenticate to mailboxes or pivot into database

Vulnerability AssessmentAI

Exploitation	The target must be a Roundcube Webmail 1.6.0-1.6.15 or 1.7.0 instance with the virtuser_query plugin enabled in config/config.inc.php (it is not in the default plugin set, so this is a meaningful limiter); the webmail login or address-lookup endpoint must be reachable by the attacker over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals diverge: CVSS 8.1 with AV:N/PR:N/UI:N and C:H/I:H/A:H reflects unauthenticated remote reach and full CIA impact, and SSVC labels technical impact as total - yet AC:H captures that the preg_replace bypass requires crafting a payload that successfully evades the escape logic, EPSS sits at 0.08% (23rd percentile), and SSVC exploitation status is 'none' with automatable 'no'. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated attacker submits a crafted email address containing a backslash sequence designed to evade the preg_replace() escape, targeting the login or virtuser_query lookup endpoint on an internet-facing Roundcube instance configured with the plugin. The malformed input breaks out of the quoted SQL context and executes attacker-controlled SQL - for example, dumping the users table to harvest password hashes for offline cracking or pivoting to mailbox takeover. …
Remediation	Upgrade to Roundcube Webmail 1.6.16 or 1.7.1 - vendor-released patches that contain the fix commits 87124cc7136a48b5fa9d2b40dfead6e9dcaeaf4b (1.6.16) and 3406183a9976e36f992d3468f37d0e2346526ee9 (1.7.1), published in the security advisory at https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1 and the release notes at https://github.com/roundcube/roundcubemail/releases/tag/1.6.16 and https://github.com/roundcube/roundcubemail/releases/tag/1.7.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Roundcube Webmail instances and identify those running versions 1.6.x prior to 1.6.16 or 1.7.x prior to 1.7.1; restrict network access to unpatched systems if immediate patching is not feasible. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High

Product	Status
openSUSE Leap 16.0	Fixed
openSUSE Tumbleweed	Fixed

EUVD-2026-31719 vulnerability details – vuln.today

Back

Roundcube Webmail EUVD-2026-31719

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code