CVE-2026-35538PATCHED

roundcube · webmail

CVE-2026-35538: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could l

Description

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.

Affected Products

Vendor	Product	Versions
roundcube	webmail	0, 1.6.0

References

Related News (1 articles)

Tier C

VulDB4h ago

CVE-2026-35538 | Roundcube Webmail up to 1.5.13/1.6.13 IMAP SEARCH Command Argument argument injection

→ No new info (linked only)

CVSS 3.13.1 CRITICAL

VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

1.5.141.6.14

CWECWE-88

PublishedApr 3, 2026

Last enriched4h agov2

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-35544EXP

CVE-2026-35544: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitiz

Trending: 46

HIGHCVE-2026-35542EXP

CVE-2026-35542: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed

Trending: 46

HIGHCVE-2026-35540EXP

CVE-2026-35540: An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization

Trending: 46

HIGHCVE-2026-35539

CVE-2026-35539: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachmen

Trending: 27

HIGHCVE-2026-35537

CVE-2026-35537: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache sess

Trending: 27

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 3, 2026

Patch Available

Apr 3, 2026

Discovered by ZDM

Apr 3, 2026

Updated: severity, tags

Apr 3, 2026

Version History

Last enriched 4h ago

v2Tier C4h ago

Updated severity to CRITICAL, noted no exploit exists, and added new tag 'critical'.

severitytags

via VulDB

v15h ago

Initial creation