CVE-2026-35538PATCHED

roundcube · webmail

CVE-2026-35538: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could l

Description

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.

Affected Products

Vendor	Product	Versions
roundcube	webmail	0, 1.6.0

References

Related News (1 articles)

Tier C

VulDB2h ago

CVE-2026-35538 | Roundcube Webmail up to 1.5.13/1.6.13 IMAP SEARCH Command Argument argument injection

→ No new info (linked only)

CVSS 3.13.1 CRITICAL

VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

1.5.141.6.14

CWECWE-88

PublishedApr 3, 2026

Last enriched2h agov2

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-35540EXP

CVE-2026-35540: An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization

Trending: 48

HIGHCVE-2026-35542EXP

CVE-2026-35542: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed

Trending: 48

HIGHCVE-2026-35544EXP

CVE-2026-35544: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitiz

Trending: 48

HIGHCVE-2026-35539

CVE-2026-35539: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachmen

Trending: 28

HIGHCVE-2026-35545

CVE-2026-35545: An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed

Trending: 28

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 3, 2026

Patch Available

Apr 3, 2026

Discovered by ZDM

Apr 3, 2026

Updated: severity, tags

Apr 3, 2026

Version History

Last enriched 2h ago

v2Tier C2h ago

Updated severity to CRITICAL, noted no exploit exists, and added new tag 'critical'.

severitytags

via VulDB

v13h ago

Initial creation