THE Roundcube development team has released critical security updates for Roundcube Webmail versions 1.6.16 and 1.7.1 to fix severe vulnerabilities. Key issues addressed include a pre-authentication SQL injection (CVE-2026-48842, CVSS 8.1) affecting the 'virtuser_query' plugin, and a code injection threat (CVE-2026-48844, CVSS 7.5) mitigated by removing direct code evaluation from LDAP configurations.
Additional fixes target cross-site scripting (XSS) vulnerabilities, session poisoning, and server-side request forgery (SSRF) bypasses. Administrators are urged to implement these updates promptly to safeguard against potential exploitation.