CVE-2026-35538
LOW
NVD
CVSS Score
3.1
Severity
LOW
Published
Apr 03, 2026
Vendor
unknown
Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
References
- https://github.com/roundcube/roundcubemail/commit/5fe8a69956a9683a4269f3ad2a68e18deebf8a15
- https://github.com/roundcube/roundcubemail/commit/7daf5aa9c190ccc75bb31672d8fee9938877fd64
- https://github.com/roundcube/roundcubemail/commit/b18a8fa8e81571914c0ff55d4e20edb459c6952c
- https://github.com/roundcube/roundcubemail/releases/tag/1.5.14
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.14