Roundcube Webmail versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1 contain insecure code evaluation logic in the LDAP autovalues option, allowing an attacker to inject arbitrary code. This flaw maps to CWE-670, indicating improper restriction of operations within the bounds of a user, and can lead to code execution on the mail server. The primary impact is the potential for attackers to execute malicious code with the privileges of the webmail application, compromising confidentiality, integrity, and availability of stored mail and server systems.

The vulnerability affects the Roundcube Webmail product, specifically all 1.6.x releases below 1.6.16 and all 1.7.x releases below 1.7.1. The official fix removes support for code evaluation in those minor releases and is distributed in the 1.6.16 and 1.7.1 releases.

The CVSS score of 7.5 indicates a high impact rating, but the EPSS score is not available, so the current exploitation probability is unknown. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, suggesting no known active exploitation at the time of this assessment. Given the potential for code injection via LDAP autovalues, an attacker would need to influence the LDAP authentication path, possibly requiring either direct access to the LDAP directory or the ability to inject input that is processed by the autovalues logic. The lack of detail in the description means the exact external or local attack surface is indeterminate, but the risk warrants immediate action.