[Pkg-roundcube-maintainers] Bug#1137507: roundcube: Multiple security vulnerabilities
Guilhem Moulin
guilhem at debian.org
Mon May 25 21:56:54 BST 2026
Control: retitle -1 roundcube: CVE-2026-4884[2-9]: Multiple security vulnerabilities
The CVE IDs have now been assigned:
On Sun, 24 May 2026 at 13:12:24 +0200, Guilhem Moulin wrote:
> 1. Stored XSS/HTML/CSS injection in subject field of the draft restore
> dialog.
CVE-2026-48849
> 2. CSS injection bypass in HTML sanitizer via SVG <animate
> attributeName="style">.
CVE-2026-48848
> 3. Pre-auth SQL injection in virtuser_query plugin via preg_replace
> backslash escape bypass.
CVE-2026-48842
> 4. SSRF bypass via specific local address URLs.
CVE-2026-48843
> 5. Local/private URL fetch bypass when remote resources were not
> allowed.
CVE-2026-48845
> 6. Bypass of remote image blocking via CSS var().
CVE-2026-48846
> 7. Pre-auth arbitrary file delete via redis/memcache session poisoning
> bypass.
CVE-2026-48847
> 8. Code injection vulnerability via code evaluation support in LDAP
> autovalues option. Code evaluation support has now been removed.
CVE-2026-48844
I'll prepare debdiffs for bookworm- and trixie-security shortly and send
then to the security team for review.
--
Guilhem.
More information about the Pkg-roundcube-maintainers
mailing list