CVE-2026-48849

CVSS v3.1

4.4

Medium

Vector

AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2026-48849

Affected Products

Webmail

CVE-2026-48849

Weakness Enumeration

Related Identifiers

Affected Products

References · 5