Critical Roundcube Webmail Security Updates Fix Severe Flaws

The Roundcube development team has released urgent Roundcube Webmail security updates. These software patches address versions 1.6.16 and 1.7.1 to secure email infrastructure. These bugs allow attackers to execute SQL injection attacks or run unauthorized code. Therefore, administrators should deploy these critical platform fixes immediately.

Severe Injection and Pre-Auth Vulnerabilities

Pre-Auth SQL Injection

To begin with, the most severe flaw involves a pre-authentication SQL injection vulnerability. This specific bug targets the popular virtuser_query plugin. Security researchers tracked this vulnerability as CVE-2026-48842, which carries a high CVSS score of 8.1. It stems from a bypass in the preg_replace backslash escape mechanism. Consequently, an unauthenticated adversary can exploit the gap to manipulate backend database records.

Code Evaluation Risks

Furthermore, developers eliminated a critical code injection threat. The vulnerability tracks as CVE-2026-48844 and carries a CVSS score of 7.5. To resolve this, maintainers removed support for direct code evaluation within the LDAP autovalues configurations. This important adjustment prevents attackers from executing arbitrary commands on the server.

XSS and Sanitizer Bypasses

Sanitizer and CSS Flaws

Meanwhile, the new releases address multiple cross-site scripting (XSS) problems. For example, CVE-2026-48848 describes a CSS injection bypass in the core HTML sanitizer. Attackers can abuse the SVG <animate> token to execute arbitrary style injections. Additionally, CVE-2026-48849 fixes a stored XSS flaw in the subject field of the draft restore dialog.

Session Poisoning and Overrides

Additionally, the update addresses a session poisoning bypass tracked as CVE-2026-48847. This flaw could let unauthorized users trigger pre-auth arbitrary file deletions via redis or memcache caches. Ultimately, these Roundcube Webmail security updates close vital authentication and verification loopholes. The releases also patch several Server-Side Request Forgery (SSRF) bypasses. For instance, CVE-2026-48845 and CVE-2026-48846 block unauthorized local URL fetches and remote image restrictions. Finally, administrators can download the updates to secure their networks against immediate remote exploitation attempts.