Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

Vulnerability IntelligenceCVE-2026-35538

CVE-2026-35538

LOW3.1

An issue was discovered in Roundcube Webmail before 1

Published Apr 3, 2026

Modified 3 weeks ago

Details

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.

References

WEB

https://github.com/roundcube/roundcubemail/commit/5fe8a69956a9683a4269f3ad2a68e18deebf8a15

WEB

https://github.com/roundcube/roundcubemail/commit/7daf5aa9c190ccc75bb31672d8fee9938877fd64

WEB

https://github.com/roundcube/roundcubemail/commit/b18a8fa8e81571914c0ff55d4e20edb459c6952c

WEB

https://github.com/roundcube/roundcubemail/releases/tag/1.5.14

WEB

https://github.com/roundcube/roundcubemail/releases/tag/1.6.14

WEB

https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5

WEB

https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2026-35538

CVSS Analysis

CVSS v3.1

3.1

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

HighAC:H

Privileges Required

LowPR:L

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

LowI:L

Availability

NoneA:N

3.1/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Weakness Type (CWE)

Other

CWE-88

Ecosystems

Timeline

PublishedApr 3, 2026

ModifiedApr 3, 2026

CVE-2026-35538 | Mondoo Vulnerability Intelligence