GSD-2021-44026 — Vulnetix

GSD-2021-44026 PUBLISHED CVSS 9.800000190734863 CRITICAL

Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.

Risk Scores

CVSS v3.1

9.800000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
n/a	n/a	n/a

Timeline

Nov 18, 2021 CVE Published
Jun 22, 2023 PoC Published
Dec 24, 2024 PoC Published
Feb 23, 2025 PoC Published
May 4, 2025 PoC Published
Jul 1, 2025 PoC Published
Aug 31, 2025 PoC Published
Feb 2, 2026 PoC Published
Apr 15, 2026 Distribution Patch
Apr 15, 2026 Security Advisory

References

https://bugs.debian.org/1000156 url
https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1 url
https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa url
FEDORA-2021-167865df98 vendor-advisory
FEDORA-2021-43d3c10590 vendor-advisory
DSA-5013 vendor-advisory
[debian-lts-announce] 20211206 [SECURITY] [DLA 2840-1] roundcube security update mailing-list
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44026 url

Open in Interactive Console →

$ Console Community · 100/wk Open console ›