diff --git a/CHANGELOG b/CHANGELOG
index c373d8a..57b20eb 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,10 @@
 Roundcube Webmail MarkAsJunk2
 =============================
 
+Version 1.10.1 (2018-04-17, rc-1.1.11)
+=================================================
+ * Fix check_request() bypass in places using get_uids() [CVE-2018-9846]
+
 Version 1.10 (2017-01-02, rc-1.1)
 =================================================
  * Add JS event markasjunk2-update to allow other plugins to influence the spam/ham options show
diff --git a/composer.json b/composer.json
index 62294d6..9c1bf1c 100644
--- a/composer.json
+++ b/composer.json
@@ -5,7 +5,7 @@
   "homepage": "http://github.com/JohnDoh/Roundcube-Plugin-Mark-as-Junk-2/",
   "license": "GPL-3.0",
   "type": "roundcube-plugin",
-  "version": "1.10",
+  "version": "1.10.1",
   "authors": [
     {
       "name": "Philip Weir",
diff --git a/markasjunk2.php b/markasjunk2.php
index 4a95096..d105992 100644
--- a/markasjunk2.php
+++ b/markasjunk2.php
@@ -89,8 +89,9 @@ function mark_message()
 
 		$is_spam = rcube::get_instance()->action == 'plugin.markasjunk2.junk' ? true : false;
 		$multi_folder = $_POST['_multifolder'] == 'true' ? true : false;
-		$messageset = rcmail::get_uids();
+		$uids = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST);
 		$mbox_name = rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_POST);
+		$messageset = !empty($uids) ? rcmail::get_uids($uids, $mbox_name) : array();
 		$dest_mbox = $is_spam ? $this->spam_mbox : $this->ham_mbox;
 		$result = $is_spam ? $this->_spam($messageset, $dest_mbox) : $this->_ham($messageset, $dest_mbox);