CVE-2026-35538
published 2026-04-03CVE-2026-35538: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass…
PriorityP413low3.1CVSS 3.1
AVNACHPRLUINSUCNILAN
EPSS
0.28%
20.0th percentile
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | roundcube | < roundcube 1.6.5+dfsg-1+deb12u8 (bookworm) | roundcube 1.6.5+dfsg-1+deb12u8 (bookworm) |
| roundcube | roundcubemail | >= 1.7-beta < 1.7-rc5 | 1.7-rc5 |
| roundcube | webmail | < 1.5.14 | 1.5.14 |
| roundcube | webmail | >= 1.6.0 < 1.6.14 | 1.6.14 |
CVSS provenance
nvdv3.13.1LOWCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
osv3.1LOW
vendor_debian3.1LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2026-35538: roundcube - An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitiz...
vendor_debian·2026·CVSS 3.1
CVE-2026-35538 [LOW] CVE-2026-35538: roundcube - An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitiz...
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
Scope: local
bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u8)
bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u8)
forky: resolved (fixed in 1.6.14+dfsg-1)
sid: resolved (fixed in 1.6.14+dfsg-1)
trixie: resolved (fixed in 1.6.15+dfsg-0+deb13u1)
OSV
CVE-2026-35538: An issue was discovered in Roundcube Webmail before 1
osv·2026-04-03·CVSS 3.1
CVE-2026-35538 [LOW] CVE-2026-35538: An issue was discovered in Roundcube Webmail before 1
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
OSV
Roundcube Webmail: Unsanitized IMAP SEARCH command arguments
osv·2026-04-03
CVE-2026-35538 [LOW] Roundcube Webmail: Unsanitized IMAP SEARCH command arguments
Roundcube Webmail: Unsanitized IMAP SEARCH command arguments
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
GHSA
Roundcube Webmail: Unsanitized IMAP SEARCH command arguments
ghsa·2026-04-03
CVE-2026-35538 [LOW] CWE-88 Roundcube Webmail: Unsanitized IMAP SEARCH command arguments
Roundcube Webmail: Unsanitized IMAP SEARCH command arguments
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [epel-all]
bugzilla·2026-04-03·CVSS 3.1
CVE-2026-35538 [LOW] CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [epel-all]
CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-EPEL-2026-82b702d826 (roundcubemail-1.6.15-1.el10_1) has been submitted as an update to Fedora EPEL 10.1.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-82b702d826
---
FEDORA-EPEL-2026-646aebe990 (roundcubemail-1.6.15-1.el10_2) has been submitted as an update to Fedora EPEL 10.2.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-646aebe990
---
FEDORA-EPEL-2026-f7a0d90857 (roundcubemail-1.6.15-1.el10_
Bugzilla
CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [fedora-all]
bugzilla·2026-04-03·CVSS 3.1
CVE-2026-35538 [LOW] CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [fedora-all]
CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-6d293b6889 (roundcubemail-1.7~rc6-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-6d293b6889
---
FEDORA-2026-8ba1a085a9 (roundcubemail-1.6.15-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-8ba1a085a9
---
FEDORA-2026-051825ca18 (roundcubemail-1.6.15-1.fc42) has been submitted as an update to Fedo
Wiz
CVE-2026-35538 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35538 [MEDIUM] CVE-2026-35538 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35538 :
PHP vulnerability analysis and mitigation
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
Source : NVD
## 3.1
Score
Published April 3, 2026
Severity LOW
CNA Score 3.1
Affected Technologies
PHP
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
roundcube
roundcube/roundcubemail
Sources
NVD
Debian 11, 12, 13, 14 Severity LOW Has Fix Added at: Apr 05, 2026
Echo Severity LOW Has Fix Added at: Apr 05, 2026
Composer Severity LOW Has Fix Added at: Apr 05,
https://github.com/roundcube/roundcubemail/commit/5fe8a69956a9683a4269f3ad2a68e18deebf8a15https://github.com/roundcube/roundcubemail/commit/7daf5aa9c190ccc75bb31672d8fee9938877fd64https://github.com/roundcube/roundcubemail/commit/b18a8fa8e81571914c0ff55d4e20edb459c6952chttps://github.com/roundcube/roundcubemail/releases/tag/1.5.14https://github.com/roundcube/roundcubemail/releases/tag/1.6.14https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
2026-04-03
Published