Back

Critical SQL Injection and XSS Vulnerabilities in RoundcubeMail Affect Fedora Users

Severity: High (Score: 74.0)

Sources: Linuxsecurity

Published: 2026-06-04 · Updated: 2026-06-04

Keywords: injection, fedora, issues, release, security, roundcube, webmail

Severity indicators: issue

Summary

Recent updates to RoundcubeMail for Fedora 43 and 44 revealed critical vulnerabilities, including SQL injection and cross-site scripting (XSS) issues. CVE-2026-48842 details a pre-auth SQL injection in the virtuser_query plugin, while CVE-2026-48843 highlights insufficient CSS sanitization leading to information disclosure and server-side request forgery (SSRF). Other vulnerabilities include privilege escalation and code injection risks, with multiple CVEs published on May 25, 2026. Users of Fedora 43 and 44 are urged to apply the latest updates to mitigate these risks. The vulnerabilities could allow attackers to exploit email systems, potentially leading to unauthorized access and data breaches. The updates can be installed via the 'dnf' package manager. Security teams should prioritize patching to protect their systems from these vulnerabilities. Key Points: • Critical vulnerabilities in RoundcubeMail affect Fedora 43 and 44 users. • CVE-2026-48842 and CVE-2026-48843 involve SQL injection and XSS issues. • Immediate patching is recommended to prevent potential exploitation.

Detailed Analysis

**Impact** Fedora users running RoundcubeMail versions 1.6.16 and 1.7.1 are affected by multiple critical vulnerabilities, including SQL injection, cross-site scripting (XSS), and privilege escalation. These flaws potentially expose email data and user credentials to unauthorized access and manipulation. The vulnerabilities impact all Fedora releases, posing risks to organizations relying on RoundcubeMail for webmail services, particularly in sectors handling sensitive communications. **Technical Details** Exploits include pre-authentication SQL injection in the virtuser_query plugin (CVE-2026-48842), code injection via insecure LDAP autovalues (CVE-2026-48844), SSRF and information disclosure through insufficient CSS sanitization (CVE-2026-48843), and privilege escalation via remote image blocking bypass (CVE-2026-48845). Attackers leverage preg_replace backslash escape bypasses and SVG-based CSS injection vectors. These vulnerabilities affect Fedora packages and can be exploited remotely before authentication, impacting the initial access and execution stages of the kill chain. No specific malware or IOCs are provided. **Recommended Response** Apply the Fedora security updates immediately using the "dnf" package manager with advisories FEDORA-2026-2b956d89d3 for RoundcubeMail 1.7.1 and FEDORA-2026-07ee097ffe for 1.6.16. Harden LDAP configurations by disabling code evaluation in autovalues options and monitor for unusual SQL queries or unauthorized access attempts. Review webmail access logs for signs of exploitation and block suspicious SVG payloads in incoming data. If patching is delayed, restrict RoundcubeMail access to trusted networks.

Source articles (2)

  • Fedora 44 RoundcubeMail Critical SQL Injection XSS Issues 2026 — Linuxsecurity · 2026-06-03
    Release 1.7.1 Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314) Managesieve: Fix error when a mail message contains duplicate List-Id header (#10186) Clarified Elastic…
  • Fedora 43 Roundcube Webmail Important XSS SQL Issues 2026 — Linuxsecurity · 2026-06-04
    Release 1.6.16 Fix potential too long value in IMAP ID command (#10136) Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog Security: Fix CSS injection bypass in H…

Timeline

  • 2026-05-25 — Multiple CVEs published for RoundcubeMail: CVE-2026-48842, CVE-2026-48843, CVE-2026-48844, CVE-2026-48845, and CVE-2026-48848 were published, detailing critical vulnerabilities affecting RoundcubeMail.
  • 2026-05-25 — CVE-2026-48842 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-25 — CVE-2026-48843 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-25 — CVE-2026-48845 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-25 — CVE-2026-48844 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-25 — CVE-2026-48848 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-03 — Fedora 44 RoundcubeMail update released: An update to RoundcubeMail 1.7.1 was released to address critical SQL injection and XSS vulnerabilities.
  • 2026-06-04 — Fedora 43 RoundcubeMail update released: An update to RoundcubeMail 1.6.16 was released to fix critical vulnerabilities, including SQL injection and XSS issues.

CVEs

  • CVE-2026-48842
  • CVE-2026-48843
  • CVE-2026-48844
  • CVE-2026-48845
  • CVE-2026-48848

Related entities

  • Code Injection (Attack Type)
  • Information Disclosure (Attack Type)
  • Privilege Escalation (Attack Type)
  • Server-Side Request Forgery (Attack Type)
  • Sql Injection (Attack Type)
  • Cross-Site Scripting (xss) (Mitre Attack)
  • XSS (Vulnerability)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-269 - Improper Privilege Management (Cwe)
  • CWE-798 - Use of Hard-coded Credentials (Cwe)
  • Cwe-79 - Cross-site Scripting (xss) (Cwe)
  • Cwe-89 - SQL Injection (Cwe)
  • Cwe-918 - Server-Side Request Forgery (ssrf) (Cwe)
  • CWE-94 - Code Injection (Cwe)
  • Fedora (Company)
  • Linux (Platform)
  • MariaDB (Platform)
  • MySQL (Platform)
  • RoundcubeMail (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed