{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35538", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-03T03:35:36.541Z", "datePublished": "2026-04-03T03:35:36.925Z", "dateUpdated": "2026-04-03T13:11:22.365Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Webmail", "vendor": "Roundcube", "versions": [{"lessThan": "1.5.14", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "1.6.14", "status": "affected", "version": "1.6.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-88", "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-03T03:35:36.925Z"}, "references": [{"url": "https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5"}, {"url": "https://github.com/roundcube/roundcubemail/commit/5fe8a69956a9683a4269f3ad2a68e18deebf8a15"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.14"}, {"url": "https://github.com/roundcube/roundcubemail/commit/b18a8fa8e81571914c0ff55d4e20edb459c6952c"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.14"}, {"url": "https://github.com/roundcube/roundcubemail/commit/7daf5aa9c190ccc75bb31672d8fee9938877fd64"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T13:11:14.379629Z", "id": "CVE-2026-35538", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:11:22.365Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search."}], "id": "CVE-2026-35538", "lastModified": "2026-04-03T05:16:21.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-03T05:16:21.647", "references": [{"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/commit/5fe8a69956a9683a4269f3ad2a68e18deebf8a15"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/commit/7daf5aa9c190ccc75bb31672d8fee9938877fd64"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/commit/b18a8fa8e81571914c0ff55d4e20edb459c6952c"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.14"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.14"}, {"source": "cve@mitre.org", "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5"}, {"source": "cve@mitre.org", "url": "https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.5.14)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.6.0,1.6.14)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Webmail", "source": "cna", "vendor": "Roundcube"}, "product": "webmail", "vendor": "roundcube"}], "analysis": {"en": {"generated_at": "2026-04-03T07:24:01.100134+00:00", "value": {"mitigation_remediation": ["Update Roundcube to version 1.5.14 or later (1.6.14, 1.7\u2011rc5, or the latest release).", "Verify that the running code base reflects the patched version and that all instances use the updated binaries.", "If an upgrade cannot be performed immediately, restrict or validate IMAP SEARCH queries on the server side to prevent malicious input.", "Ensure that CSRF tokens are enforced for any search-related actions in the webmail interface."], "summary": {"action": "Apply Patch", "impact": "Potential IMAP injection or CSRF bypass in Roundcube mail search"}, "threat_synthesis": {"affected_systems": "The flaw exists in all Roundcube releases prior to 1.5.14 and 1.6.14. Administrators should upgrade to the latest available releases\u20141.5.14, 1.6.14, 1.7\u2011rc5, or the current stable version\u2014to eliminate the risk.", "description_and_impact": "Roundcube Webmail permits users to submit IMAP SEARCH commands with arguments that are not properly sanitized. A crafted search query can inject additional IMAP instructions or allow an attacker to bypass CSRF protections during a mail search, which may expose private messages or compromise the authenticated session. The vulnerability is a form of injection that could be used to manipulate the mailbox or access data not intended for the user.", "risk_and_exploitability": "The assigned CVSS score of 3.1 indicates low severity, and no EPSS data is available. The vulnerability is not listed in the CISA KEV catalog. Exploitation likely involves forging IMAP SEARCH requests, possibly under an authenticated user, and does not require elevated privileges. The attack path is straightforward, so prompt patching is recommended to mitigate potential data exposure or CSRF bypass."}}}}, "created": "2026-04-03T07:31:08.695221+00:00", "title": "Unsanitized IMAP SEARCH arguments in Roundcube allow injection or CSRF bypass", "updated": "2026-04-03T09:15:56.351618+00:00", "vendors": ["roundcube", "roundcube$PRODUCT$webmail"]}