← back
CVE-2021-44026

CVE-2021-44026

CVSS 9.8 CRITICALEPSS 42.9%● KEVCWE-89
Vexday Risk Score
90Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 9.8EPSS 42.9%KEV simPoC públicaNuclei Metasploit Patch referenciado
Lifecycle
19 Nov 2021Published on NVD
22 Jun 2023Active exploitation (CISA KEV)
02 Apr 2025Public PoC
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short

Roundcube webmail versions before 1.3.17 and 1.4.12 have a flaw in the search feature that allows attackers to inject malicious SQL commands. This could let an attacker steal emails, passwords, or other sensitive data from the mail server.

Technical detail

SQL injection vulnerability in Roundcube's search and search_params functionality allows unauthenticated or authenticated attackers to execute arbitrary SQL queries against the backend database. The attack vector leverages improper input sanitization in search parameters, potentially leading to data exfiltration, authentication bypass, or database manipulation.

Summary generated and translated by AI from the official description.
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found2
githubgithub.com/shanglyu/roundcube-cve-2021-440260githubgithub.com/skyllpro/CVE-2021-44026-PoC0
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://bugs.debian.org/1000156https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfahttps://lists.debian.org/debian-lts-announce/2021/12/msg00004.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NDVGIZMQJ5IOM47Y3SAAJRN5VPANKTKO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TP3Y5RXTUUOUODNG7HFEKWYNIPIT2NL4/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44026https://www.debian.org/security/2021/dsa-5013