PT-2026-43110 · Unknown · Roundcube Webmail

Zazy

·

Published

2026-05-24

·

Updated

2026-05-27

·

CVE-2026-48847

CVSS v3.1

3.7

Low

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions 1.6.x through 1.6.15 Roundcube Webmail versions 1.7.x through 1.7.0
Description An issue allows pre-authentication arbitrary file deletion through a session poisoning bypass when using redis or memcache. Session poisoning is a technique where an attacker manipulates session data to deceive the application into granting unauthorized access or performing unintended actions.
Recommendations Update versions 1.6.x to 1.6.16. Update versions 1.7.x to 1.7.1.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-07443
CVE-2026-48847
OPENSUSE-SU-2026:10869-1
OPENSUSE-SU-2026:20852-1

Affected Products

Roundcube Webmail