What is GHSA-qhxr-pc4x-jrq3?

GHSA-qhxr-pc4x-jrq3 is a security advisory published by GitHub Security Advisories with High severity. Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic...

Which CVE IDs does GHSA-qhxr-pc4x-jrq3 cover?

GHSA-qhxr-pc4x-jrq3 covers the following CVE IDs: CVE-2026-48844. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-qhxr-pc4x-jrq3?

GHSA-qhxr-pc4x-jrq3 has a CVSS v3 base score of 7.5, published by GitHub Security Advisories.

GHSA-qhxr-pc4x-jrq3HighCVSS 7.5

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic...

Vendor

GitHub Security Advisories

Published

May 26, 2026

Last Modified

May 26, 2026

🔗 CVE IDs covered (1)

CVE-2026-48844 →

📋 Description

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)

🔗 References (7)

https://nvd.nist.gov/vuln/detail/CVE-2026-48844
https://github.com/roundcube/roundcubemail/commit/6a777d7394b763ce9acfce86c1a521e14a02d862
https://github.com/roundcube/roundcubemail/commit/ea1798a6fbf060abcc0ba73b2435036bf8016a5a
https://github.com/roundcube/roundcubemail/releases/tag/1.6.16
https://github.com/roundcube/roundcubemail/releases/tag/1.7.1
https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
https://github.com/advisories/GHSA-qhxr-pc4x-jrq3