CVE-2026-35538
LOW3.1EPSS 0.01%Roundcube Webmail: Unsanitized IMAP SEARCH command arguments
Published: 4/3/2026Modified: 4/4/2026
Also known as:GHSA-8jr8-v43g-5c57
Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
Affected packages (2)
- Debian/roundcubefrom 0, < 1.4.15+dfsg.1-1+deb11u8
- Packagist/roundcube/roundcubemail>= 1.7-beta, < 1.7-rc5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.1 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N |
References (10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-35538
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-35538
- PATCHhttps://github.com/roundcube/roundcubemail
- WEBhttps://github.com/roundcube/roundcubemail/commit/5fe8a69956a9683a4269f3ad2a68e18deebf8a15
- WEBhttps://github.com/roundcube/roundcubemail/commit/7daf5aa9c190ccc75bb31672d8fee9938877fd64
- WEBhttps://github.com/roundcube/roundcubemail/commit/b18a8fa8e81571914c0ff55d4e20edb459c6952c
- WEBhttps://github.com/roundcube/roundcubemail/releases/tag/1.5.14
- WEBhttps://github.com/roundcube/roundcubemail/releases/tag/1.6.14
- WEBhttps://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5
- WEBhttps://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14