|
2791
|
8.1 |
HIGH
Network
|
-
|
-
|
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass.
|
CWE-89
SQL Injection
|
CVE-2026-48842
|
2026-05-27 04:26 |
2026-05-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2792
|
7.2 |
HIGH
Network
|
-
|
-
|
Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure,…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-48843
|
2026-05-27 04:26 |
2026-05-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2793
|
7.5 |
HIGH
Network
|
-
|
-
|
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been …
|
CWE-670
Always-Incorrect Control Flow Implementation
|
CVE-2026-48844
|
2026-05-27 04:26 |
2026-05-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2794
|
6.5 |
MEDIUM
Network
|
-
|
-
|
In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information discl…
|
CWE-669
Incorrect Resource Transfer Between Spheres
|
CVE-2026-48845
|
2026-05-27 04:26 |
2026-05-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2795
|
6.5 |
MEDIUM
Network
|
-
|
-
|
In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information di…
|
CWE-669
Incorrect Resource Transfer Between Spheres
|
CVE-2026-48846
|
2026-05-27 04:26 |
2026-05-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2796
|
3.7 |
LOW
Network
|
-
|
-
|
Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass.
|
CWE-669
Incorrect Resource Transfer Between Spheres
|
CVE-2026-48847
|
2026-05-27 04:26 |
2026-05-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2797
|
7.2 |
HIGH
Network
|
-
|
-
|
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element…
|
CWE-79
Cross-site Scripting
|
CVE-2026-48848
|
2026-05-27 04:26 |
2026-05-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2798
|
4.4 |
MEDIUM
Network
|
-
|
-
|
In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.
|
CWE-79
Cross-site Scripting
|
CVE-2026-48849
|
2026-05-27 04:26 |
2026-05-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2799
|
7.5 |
HIGH
Network
|
powerdns
|
authoritative
|
Insufficient Validation of Autoprimary SOA Queries
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-42001
|
2026-05-27 04:24 |
2026-05-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2800
|
7.5 |
HIGH
Network
|
powerdns
|
authoritative
|
Concurrency and locking defects in GSS-TSIG
|
CWE-364
Signal Handler Race Condition
|
CVE-2026-42002
|
2026-05-27 04:23 |
2026-05-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
