Cyber Posture

CVE-2026-48844

High
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: not affectedAppOther: affectedOth

Published: 25 May 2026

Published
25 May 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 14.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-48844 is a high-severity Always-Incorrect Control Flow Implementation (CWE-670) vulnerability in Roundcube Webmail (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Direct RCE via code injection in public-facing web application (Roundcube Webmail).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-670

Affected Products

Roundcube
Webmail
inferred from references and description; NVD did not file a CPE for this CVE

EU & UK References

References