Control: retitle -1 roundcube: CVE-2026-4884[2-9]: Multiple security vulnerabilities
The CVE IDs have now been assigned: On Sun, 24 May 2026 at 13:12:24 +0200, Guilhem Moulin wrote: > 1. Stored XSS/HTML/CSS injection in subject field of the draft restore > dialog. CVE-2026-48849 > 2. CSS injection bypass in HTML sanitizer via SVG <animate > attributeName="style">. CVE-2026-48848 > 3. Pre-auth SQL injection in virtuser_query plugin via preg_replace > backslash escape bypass. CVE-2026-48842 > 4. SSRF bypass via specific local address URLs. CVE-2026-48843 > 5. Local/private URL fetch bypass when remote resources were not > allowed. CVE-2026-48845 > 6. Bypass of remote image blocking via CSS var(). CVE-2026-48846 > 7. Pre-auth arbitrary file delete via redis/memcache session poisoning > bypass. CVE-2026-48847 > 8. Code injection vulnerability via code evaluation support in LDAP > autovalues option. Code evaluation support has now been removed. CVE-2026-48844 I'll prepare debdiffs for bookworm- and trixie-security shortly and send then to the security team for review. -- Guilhem.
