Primary

Context

Roundcube Webmail Code Injection Vulnerability in LDAP Autovalues Option

Vulnerability

Patched

A code injection vulnerability has been identified in Roundcube Webmail versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1. The issue arises from insecure code evaluation logic in the LDAP autovalues option, which could be exploited to inject malicious code. In versions 1.6.16 and 1.7.1, support for code evaluation in this context has been removed.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution on the server where Roundcube is hosted.

Remediation

Users are advised to update to Roundcube Webmail versions 1.6.16 or 1.7.1. Instructions for downloading these versions are available on the Roundcube GitHub releases page.

Added: May 26, 2026, 6:44 PM

Updated: May 26, 2026, 6:44 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

7.5

exploitability

6.9

remediation

7.7

relevance

9.4

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

7.5

exploitability

6.9

remediation

7.7

relevance

9.4

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Roundcube Webmail Code Injection Vulnerability in LDAP Autovalues Option

Vulnerability

Impact

Remediation

Affected Products

Roundcube Webmail

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating