[Git][security-tracker-team/security-tracker][master] CVEs assigned for roundcube issues

Salvatore Bonaccorso (@carnil) carnil at debian.org
Tue May 26 04:50:02 BST 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6b600e47 by Salvatore Bonaccorso at 2026-05-26T05:49:32+02:00
CVEs assigned for roundcube issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -376,35 +376,35 @@ CVE-2026-9360 (A security flaw has been discovered in Edimax EW-7438RPn 1.28a. A
 	NOT-FOR-US: Edimax
 CVE-2026-4372 (A critical remote code execution vulnerability exists in all versions  ...)
 	NOT-FOR-US: HuggingFace transformers
-CVE-2026-XXXX [Code injection vulnerability via code evaluation support in LDAP autovalues option.]
+CVE-2026-48844 [Code injection vulnerability via code evaluation support in LDAP autovalues option.]
 	- roundcube 1.6.16+dfsg-1 (bug #1137507)
 	NOTE: https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
 	NOTE: https://github.com/roundcube/roundcubemail/commit/ea1798a6fbf060abcc0ba73b2435036bf8016a5a
-CVE-2026-XXXX [Pre-auth arbitrary file delete via redis/memcache session poisoning bypass]
+CVE-2026-48847 [Pre-auth arbitrary file delete via redis/memcache session poisoning bypass]
 	- roundcube 1.6.16+dfsg-1 (bug #1137507)
 	NOTE: https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
 	NOTE: https://github.com/roundcube/roundcubemail/commit/703318e6a59515b73b0d8aa2a91e346b02f56baa
-CVE-2026-XXXX [Bypass of remote image blocking via CSS var().]
+CVE-2026-48846 [Bypass of remote image blocking via CSS var().]
 	- roundcube 1.6.16+dfsg-1 (bug #1137507)
 	NOTE: https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
 	NOTE: https://github.com/roundcube/roundcubemail/commit/852350486b88b35b8544e8a630fad89e99e2150a
-CVE-2026-XXXX [Local/private URL fetch bypass when remote resources were not allowed]
+CVE-2026-48845 [Local/private URL fetch bypass when remote resources were not allowed]
 	- roundcube 1.6.16+dfsg-1 (bug #1137507)
 	NOTE: https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
 	NOTE: https://github.com/roundcube/roundcubemail/commit/7b52353653a67e6073b97d70eb94047132b78556
-CVE-2026-XXXX [SSRF bypass via specific local address URLs.]
+CVE-2026-48843 [SSRF bypass via specific local address URLs.]
 	- roundcube 1.6.16+dfsg-1 (bug #1137507)
 	NOTE: https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
 	NOTE: https://github.com/roundcube/roundcubemail/commit/cb3fc9041e91640ba9ba49ee7b2147c176ebf5a1
-CVE-2026-XXXX [Pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass.]
+CVE-2026-48842 [Pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass.]
 	- roundcube 1.6.16+dfsg-1 (bug #1137507)
 	NOTE: https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
 	NOTE: https://github.com/roundcube/roundcubemail/commit/87124cc7136a48b5fa9d2b40dfead6e9dcaeaf4b
-CVE-2026-XXXX [CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">.]
+CVE-2026-48848 [CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">.]
 	- roundcube 1.6.16+dfsg-1 (bug #1137507)
 	NOTE: https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
 	NOTE: https://github.com/roundcube/roundcubemail/commit/58e5263f341e6a418774fb6d2643669a3c4d8a27
-CVE-2026-XXXX [Stored XSS/HTML/CSS injection in subject field of the draft restore dialog]
+CVE-2026-48849 [Stored XSS/HTML/CSS injection in subject field of the draft restore dialog]
 	- roundcube 1.6.16+dfsg-1 (bug #1137507)
 	NOTE: https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
 	NOTE: https://github.com/roundcube/roundcubemail/commit/a21519187873ce962db029b6ff68e47bd7f3fd8a



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b600e47385f5818a579c4f1ed90ba372459a4b9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b600e47385f5818a579c4f1ed90ba372459a4b9
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260526/c046d829/attachment.htm>

More information about the debian-security-tracker-commits mailing list