CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Tenable Nessus•added 2026/05/26 12:0 a.m.•9 views

Linux Distros Unpatched Vulnerability : CVE-2026-48845

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private...

6.5CVSS5.8AI score0.00284EPSS

Tenable Nessus•added 2026/05/26 12:0 a.m.•13 views

Linux Distros Unpatched Vulnerability : CVE-2026-48847

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass...

3.7CVSS6AI score0.00404EPSS

Tenable Nessus•added 2026/05/26 12:0 a.m.•6 views

FreeBSD : Roundcube Webmail -- Multiple vulnerabilities (b8777bc2-5758-11f1-8607-8447094a420f)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the b8777bc2-5758-11f1-8607-8447094a420f advisory. The Roundcube Webmail project reports: See link for details. No CVE numbers available at the moment...

5.8AI score

Tenable Nessus•added 2026/05/26 12:0 a.m.•11 views

Linux Distros Unpatched Vulnerability : CVE-2026-48844

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection...

7.5CVSS5.9AI score0.00372EPSS

Tenable Nessus•added 2026/05/26 12:0 a.m.•8 views

Linux Distros Unpatched Vulnerability : CVE-2026-48849

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS...

4.4CVSS5.4AI score0.00195EPSS

Exploits1References2

Tenable Nessus•added 2026/05/26 12:0 a.m.•25 views

Linux Distros Unpatched Vulnerability : CVE-2026-48842

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuserquery plugin via a pregreplace backslash escape...

8.1CVSS5.9AI score0.0066EPSS

OSV•added 2026/05/25 8:16 p.m.•5 views

DEBIAN-CVE-2026-48849

In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes...

4.4CVSS5.8AI score0.00195EPSS

Exploits1References1

OSV•added 2026/05/25 8:16 p.m.•4 views

DEBIAN-CVE-2026-48845

In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message...

6.5CVSS5.8AI score0.00284EPSS

NVD•added 2026/05/25 8:16 p.m.•8 views

CVE-2026-48846

In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var value in an e-mail message, which may lead to information disclosure or access-control bypass...

6.5CVSS0.00304EPSS

CVE-2026-48845

6.5CVSS0.00284EPSS

CVE-2026-48848

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets CSS injection via an SVG document that has an animate element with the attributeName attribute...

7.2CVSS0.00339EPSS

CVE-2026-48847

Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass...

3.7CVSS0.00404EPSS

NVD•added 2026/05/25 8:16 p.m.•8 views

CVE-2026-48849

In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes...

4.4CVSS0.00195EPSS

Exploits1References5

OSV•added 2026/05/25 8:16 p.m.•8 views

DEBIAN-CVE-2026-48848

7.2CVSS5.8AI score0.00339EPSS

OSV•added 2026/05/25 8:16 p.m.•5 views

DEBIAN-CVE-2026-48846

6.5CVSS5.8AI score0.00304EPSS

OSV•added 2026/05/25 8:16 p.m.•4 views

DEBIAN-CVE-2026-48847

Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass...

3.7CVSS5.9AI score0.00404EPSS

OSV•added 2026/05/25 8:16 p.m.•18 views

DEBIAN-CVE-2026-48842

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuserquery plugin via a pregreplace backslash escape bypass...

8.1CVSS5.8AI score0.0066EPSS

NVD•added 2026/05/25 8:16 p.m.•8 views

CVE-2026-48842

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuserquery plugin via a pregreplace backslash escape bypass...

8.1CVSS0.0066EPSS

Exploits0References6

CVE-2026-48843

Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets CSS sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. The issue stems from an insufficient fix fo...

7.2CVSS0.00292EPSS