CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 28, 2026

Critical Roundcube Webmail Vulnerability Let Attackers Inject SQL Queries

Cybersecurity News Archived May 28, 2026 ✓ Full text saved

Roundcube Webmail users are being urged to apply urgent updates after developers patched multiple security flaws. Including a critical pre-authentication SQL injection vulnerability that could allow attackers to manipulate backend databases without logging in. The issues affect Roundcube versions 1.6. x and 1.7. x, which are widely used across enterprise and hosting environments. The vulnerability, […] The post Critical Roundcube Webmail Vulnerability Let Attackers Inject SQL Queries appeared fi

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Critical Roundcube Webmail Vulnerability Let Attackers Inject SQL Queries By Abinaya May 28, 2026 Roundcube Webmail users are being urged to apply urgent updates after developers patched multiple security flaws. Including a critical pre-authentication SQL injection vulnerability that could allow attackers to manipulate backend databases without logging in. The issues affect Roundcube versions 1.6. x and 1.7. x, which are widely used across enterprise and hosting environments. The vulnerability, discovered by researcher “skull,” affects the virtuser_query plugin. It stems from improper input sanitization in a preg_replace function, allowing attackers to bypass backslash-escaping protections. This flaw enables threat actors to inject malicious SQL queries before authentication, potentially exposing sensitive email data, user credentials, and system configurations. Security experts warn that pre-auth SQL injection flaws are particularly dangerous because they do not require valid user access. In real-world attacks, adversaries could exploit this issue to extract mailbox contents, escalate privileges, or pivot deeper into internal infrastructure. Roundcube Webmail Vulnerability In addition to the SQL injection flaw, Roundcube addressed several other high-impact vulnerabilities in versions 1.6.16 and 1.7.1. These include stored cross-site scripting (XSS) and HTML/CSS injection issues that could allow attackers to execute malicious scripts through manipulated email content or draft messages. Another notable fix involves a CSS-injection bypass using SVG elements, specifically via the <animate> tag, which manipulates style attributes. This could allow attackers to evade sanitization filters and execute unauthorized code in a victim’s browser session. Server-side request forgery (SSRF) protections were also strengthened. Researchers identified bypass techniques using specially crafted local URLs that allowed access to restricted internal resources. Additionally, flaws in remote image-blocking mechanisms were patched, allowing attackers to exploit CSS variables to load external content and potentially track users. A particularly severe issue involved arbitrary file deletion through session poisoning in Redis or Memcache configurations. This vulnerability could allow attackers to manipulate session data and delete critical files on the server. Another fix removed unsafe code-evaluation functionality from the LDAP autovalues option, eliminating a potential code-injection vector that could lead to remote code execution in certain configurations. Roundcube maintainers have released patched versions 1.6.16 and 1.7.1 and strongly recommend immediate updates for all production environments. Given the combination of pre-auth SQL injection and multiple bypass techniques, unpatched systems present a significant attack surface. Organizations using Roundcube in shared hosting, enterprise email systems, or cloud deployments should prioritize patching and review logs for suspicious activity. Monitoring database queries, unusual HTTP requests, and unauthorized file operations can help detect potential exploitation attempts. With webmail platforms remaining a prime target for attackers, this incident highlights the importance of timely patch management and secure configuration practices to prevent data breaches and service compromise. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Hackers Backdoor Popular art-template npm Package to Launch Watering-Hole Attacks WhatsApp Chat Histories Stored Unencrypted on macOS and iOS New 0-Click WhatsApp Account Takeover Attack Targeting iOS 16 Users New BTMOB Malware Lets Attackers Remotely Control Android Devices Mini Shai-Hulud Compromises @antv npm Packages to Steal CI/CD Credentials Latest News Cyber Security News Threat Actors Spoofing FIFA Websites to Steal Name, Home Address, and Phone Number Cyber Security News Top 10 Best Mobile Application Security Testing (MAST) Tools in 2026 Cyber Security News Top 10 Best Static Application Security Testing (SAST) Tools for Security Teams in 2026 Cyber Security News Veeam Backup & Replication Tool Vulnerability Enables Privilege Escalation Attacks Cyber Security News Microsoft Warns Public Release of Zero-Day Details Before Vendor Coordination
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 28, 2026
    Archived
    May 28, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗