CVE-2026-35538 — Argument Injection in Webmail

CWE-88 — Argument Injection9 documents7 sources

Severity

3.1LOWNVD

EPSS

0.0%

top 87.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Roundcube Webmail Roundcube Roundcubemail

Timeline

PublishedApr 3

Description

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5roundcube/webmail1.6.0 — 1.6.14+1

▶NVDroundcube/webmail1.6.0 — 1.6.14+1

▶Packagistroundcube/roundcubemail1.7-beta — 1.7-rc5

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

CVE-2026-35538: An issue was discovered in Roundcube Webmail before 1↗2026-04-03

▶

OSV

CVE-2026-35538: An issue was discovered in Roundcube Webmail before 1↗2026-04-03

▶

OSV

Roundcube Webmail: Unsanitized IMAP SEARCH command arguments↗2026-04-03

▶

GHSA

Roundcube Webmail: Unsanitized IMAP SEARCH command arguments↗2026-04-03

▶

📋Vendor Advisories

Debian

CVE-2026-35538: roundcube - An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitiz...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-35538 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [epel-all]↗2026-04-03

▶

Bugzilla

CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [fedora-all]↗2026-04-03

▶