PatchSiren cyber security CVE debrief
CVE-2026-48842 Roundcube CVE debrief
A pre-authentication SQL injection vulnerability exists in Roundcube Webmail's virtuser_query plugin. The flaw stems from a preg_replace() backslash escape bypass that allows attackers to manipulate SQL queries before authentication. Affected versions include 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1. The vulnerability carries a HIGH severity CVSS 8.1 score with network attack vector, high attack complexity, no required privileges, and high impacts to confidentiality, integrity, and availability. The issue was disclosed on May 24, 2026, with security updates released the same day.
- Vendor
- Roundcube
- Product
- Webmail
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Organizations running Roundcube Webmail 1.6.x or 1.7.x with the virtuser_query plugin enabled; email service providers; security teams responsible for webmail infrastructure
Technical summary
The virtuser_query plugin in Roundcube Webmail fails to properly sanitize user input when processing backslash escapes in preg_replace() operations. This allows unauthenticated attackers to inject malicious SQL commands through crafted input that bypasses the escape mechanism. The vulnerability exists in the plugin's query construction logic where user-supplied data is incorporated into SQL statements without adequate parameterization or escaping. Successful exploitation could lead to unauthorized database access, data exfiltration, or authentication bypass.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Roundcube Webmail 1.6.16 or 1.7.1 immediately
- If immediate patching is not possible, disable the virtuser_query plugin
- Review database access logs for suspicious queries from unauthenticated sources
- Monitor for failed authentication attempts with unusual username patterns
- Apply principle of least privilege to database accounts used by Roundcube
Evidence notes
CVE published 2026-05-25; modified 2026-05-26. Vendor security advisory dated 2026-05-24. Patches released in versions 1.6.16 and 1.7.1.
Official resources
2026-05-25T20:16:36.630Z