CVE-2026-35538
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-35538
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 1.6.5+dfsg-1+deb12u8 |
| debian | bullseye | fixed | 1.4.15+dfsg.1-1+deb11u8 |
| debian | sid | fixed | 1.6.14+dfsg-1 |
| debian | trixie | fixed | 1.6.15+dfsg-0+deb13u1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | roundcube/roundcubemail | >=1.7-beta,<1.7-rc5 | 1.7-rc5 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-35538
- https://github.com/roundcube/roundcubemail/commit/5fe8a69956a9683a4269f3ad2a68e18deebf8a15
- https://github.com/roundcube/roundcubemail/commit/7daf5aa9c190ccc75bb31672d8fee9938877fd64
- https://github.com/roundcube/roundcubemail/commit/b18a8fa8e81571914c0ff55d4e20edb459c6952c
- https://github.com/roundcube/roundcubemail
- https://github.com/roundcube/roundcubemail/releases/tag/1.5.14
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.14
- https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5
- https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
- https://security-tracker.debian.org/tracker/CVE-2026-35538
Verify integrity in audit chain (admin only). AS-IS.