A vulnerability, which was classified as critical , was found in Roundcube Webmail up to 1.6.15/1.7.0 . This issue affects the function preg_replace . The manipulation results in sql injection. This vulnerability is identified as CVE-2026-48842 . The attack can be executed remotely. There is not any exploit available. You should upgrade the affected component.