roundcube webmail CVE-2021-44026 vulnerability in Roundcube and Other Products
Published on November 19, 2021

product logo product logo product logo
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.


Known Exploited Vulnerability

This Roundcube Webmail SQL Injection Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Roundcube Webmail is vulnerable to SQL injection via search or search_params.

The following remediation steps are recommended / required by July 13, 2023: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2021-44026 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

What is a SQL Injection Vulnerability?

The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

CVE-2021-44026 has been classified to as a SQL Injection vulnerability or weakness.

Products Associated with CVE-2021-44026

You can be notified by whenever vulnerabilities like CVE-2021-44026 are published in these products:


What versions are vulnerable to CVE-2021-44026?