DEBIAN-CVE-2026-48844

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-48844

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48844.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-48844

Upstream

CVE-2026-48844

Published

2026-05-25T20:16:36.893Z

Modified

2026-05-26T09:00:08.410898743Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)

References

https://security-tracker.debian.org/tracker/CVE-2026-48844

Affected packages

Debian:11 / roundcube

Package

Name: roundcube
Purl: pkg:deb/debian/roundcube?arch=source&distro=bullseye

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.4.11+dfsg.1-4

1.4.12+dfsg.1-1~bpo10+1

1.4.12+dfsg.1-1~deb11u1

1.4.13+dfsg.1-1~deb11u1~bpo10+1

1.4.13+dfsg.1-1~deb11u1

1.4.14+dfsg.1-1~deb11u1~bpo10+1

1.4.14+dfsg.1-1~deb11u1

1.4.15+dfsg.1-1~deb11u1~bpo10+1

1.4.15+dfsg.1-1~deb11u1

1.4.15+dfsg.1-1~deb11u2~bpo10+1

1.4.15+dfsg.1-1~deb11u2

1.4.15+dfsg.1-1+deb11u3

1.4.15+dfsg.1-1+deb11u4

1.4.15+dfsg.1-1+deb11u5

1.4.15+dfsg.1-1+deb11u6

1.4.15+dfsg.1-1+deb11u7

1.4.15+dfsg.1-1+deb11u8

1.5~beta+dfsg.1-1

1.5~beta+dfsg.1-2

1.5~beta+dfsg.1-3

1.5~beta+dfsg.1-4

1.5~rc+dfsg.1-1

1.5~rc+dfsg.1-2

1.5~rc+dfsg.1-3

1.5.0+dfsg.1-1

1.5.0+dfsg.1-2

1.5.1+dfsg-1

1.6~beta+dfsg-1

1.6~beta+dfsg-2

1.6~rc+dfsg-1

1.6~rc+dfsg-2

1.6.0+dfsg-1

1.6.0+dfsg-1.1

1.6.0+dfsg-2

1.6.1+dfsg-1

1.6.2+dfsg-1

1.6.3+dfsg-1~deb12u1

1.6.3+dfsg-1

1.6.3+dfsg-2

1.6.4+dfsg-1~deb12u1

1.6.4+dfsg-1

1.6.5+dfsg-1~deb12u1

1.6.5+dfsg-1

1.6.6+dfsg-1

1.6.6+dfsg-2

1.6.7+dfsg-1

1.6.8+dfsg-1

1.6.8+dfsg-2

1.6.9+dfsg-1

1.6.9+dfsg-2

1.6.10+dfsg-1

1.6.10+dfsg-2

1.6.11+dfsg-1

1.6.12+dfsg-1

1.6.13+dfsg-1

1.6.14+dfsg-1

1.6.15+dfsg-1

1.6.16+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48844.json"

Debian:12 / roundcube

Package

Name: roundcube
Purl: pkg:deb/debian/roundcube?arch=source&distro=bookworm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6.1+dfsg-1

1.6.2+dfsg-1

1.6.3+dfsg-1~deb12u1

1.6.3+dfsg-1

1.6.3+dfsg-2

1.6.4+dfsg-1~deb12u1

1.6.4+dfsg-1

1.6.5+dfsg-1~deb12u1

1.6.5+dfsg-1

1.6.5+dfsg-1+deb12u2

1.6.5+dfsg-1+deb12u3

1.6.5+dfsg-1+deb12u4

1.6.5+dfsg-1+deb12u5

1.6.5+dfsg-1+deb12u6

1.6.5+dfsg-1+deb12u7

1.6.5+dfsg-1+deb12u8

1.6.6+dfsg-1

1.6.6+dfsg-2

1.6.7+dfsg-1

1.6.8+dfsg-1

1.6.8+dfsg-2

1.6.9+dfsg-1

1.6.9+dfsg-2

1.6.10+dfsg-1

1.6.10+dfsg-2

1.6.11+dfsg-1

1.6.12+dfsg-1

1.6.13+dfsg-1

1.6.14+dfsg-1

1.6.15+dfsg-1

1.6.16+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48844.json"

Debian:13 / roundcube

Package

Name: roundcube
Purl: pkg:deb/debian/roundcube?arch=source&distro=trixie

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6.11+dfsg-1

1.6.12+dfsg-0+deb13u1

1.6.12+dfsg-1

1.6.13+dfsg-0+deb13u1

1.6.13+dfsg-1

1.6.14+dfsg-1

1.6.15+dfsg-0+deb13u1

1.6.15+dfsg-1

1.6.16+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48844.json"