PT-2026-43110 · Unknown · Roundcube Webmail
Zazy
·
Published
2026-05-24
·
Updated
2026-05-27
·
CVE-2026-48847
CVSS v3.1
3.7
Low
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
Roundcube Webmail versions 1.6.x through 1.6.15
Roundcube Webmail versions 1.7.x through 1.7.0
Description
An issue allows pre-authentication arbitrary file deletion through a session poisoning bypass when using redis or memcache. Session poisoning is a technique where an attacker manipulates session data to deceive the application into granting unauthorized access or performing unintended actions.
Recommendations
Update versions 1.6.x to 1.6.16.
Update versions 1.7.x to 1.7.1.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Roundcube Webmail