CVE-2026-48844
7.5
HIGH
CVSS 3.1
EPSS 0.05%
Description
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)
How to fix CVE-2026-48844
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- Debian/roundcube—no fix listed
Is CVE-2026-48844 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |