Critical Roundcube Flaw Allows Attackers to Inject SQL Queries

Roundcube Webmail released security updates (1.6.16 and 1.7.1) addressing eight vulnerabilities — most critically a pre-authentication SQL injection in the virtuser_query plugin that can execute arbitrary database queries without credentials and an LDAP autovalues code-evaluation flaw that could enable remote code execution; additional issues include XSS, CSS injection, SSRF bypasses, session poisoning enabling file deletion, and remote resource blocking bypasses. Administrators of internet-facing Roundcube instances should patch immediately, consider disabling the virtuser_query plugin if unused, audit logs for anomalous queries or sessions, and review LDAP settings to mitigate potential multi-stage exploitation.