{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35538", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-03T03:35:36.541Z", "datePublished": "2026-04-03T03:35:36.925Z", "dateUpdated": "2026-04-03T13:11:22.365Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Webmail", "vendor": "Roundcube", "versions": [{"lessThan": "1.5.14", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "1.6.14", "status": "affected", "version": "1.6.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-88", "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-03T03:35:36.925Z"}, "references": [{"url": "https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5"}, {"url": "https://github.com/roundcube/roundcubemail/commit/5fe8a69956a9683a4269f3ad2a68e18deebf8a15"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.14"}, {"url": "https://github.com/roundcube/roundcubemail/commit/b18a8fa8e81571914c0ff55d4e20edb459c6952c"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.14"}, {"url": "https://github.com/roundcube/roundcubemail/commit/7daf5aa9c190ccc75bb31672d8fee9938877fd64"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T13:11:14.379629Z", "id": "CVE-2026-35538", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:11:22.365Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35538", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T13:11:14.379629Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:11:18.792Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Roundcube", "product": "Webmail", "versions": [{"status": "affected", "version": "0", "lessThan": "1.5.14", "versionType": "semver"}, {"status": "affected", "version": "1.6.0", "lessThan": "1.6.14", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5"}, {"url": "https://github.com/roundcube/roundcubemail/commit/5fe8a69956a9683a4269f3ad2a68e18deebf8a15"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.14"}, {"url": "https://github.com/roundcube/roundcubemail/commit/b18a8fa8e81571914c0ff55d4e20edb459c6952c"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.14"}, {"url": "https://github.com/roundcube/roundcubemail/commit/7daf5aa9c190ccc75bb31672d8fee9938877fd64"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-88", "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-03T03:35:36.925Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35538", "state": "PUBLISHED", "dateUpdated": "2026-04-03T13:11:22.365Z", "dateReserved": "2026-04-03T03:35:36.541Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-03T03:35:36.925Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "matchCriteriaId": "40F75FD7-CF6D-4DC4-A33D-625D0F02FAB3", "versionEndExcluding": "1.5.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "matchCriteriaId": "AF4B6448-D4F5-4680-B32C-9366630E9485", "versionEndExcluding": "1.6.14", "versionStartIncluding": "1.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search."}], "id": "CVE-2026-35538", "lastModified": "2026-04-07T20:54:28.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-03T05:16:21.647", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/roundcube/roundcubemail/commit/5fe8a69956a9683a4269f3ad2a68e18deebf8a15"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/roundcube/roundcubemail/commit/7daf5aa9c190ccc75bb31672d8fee9938877fd64"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/roundcube/roundcubemail/commit/b18a8fa8e81571914c0ff55d4e20edb459c6952c"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.14"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.14"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.5.14)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.6.0,1.6.14)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Webmail", "source": "cna", "vendor": "Roundcube"}, "product": "webmail", "vendor": "roundcube"}], "analysis": {"en": {"generated_at": "2026-04-07T23:54:28.148776+00:00", "value": {"mitigation_remediation": ["Upgrade Roundcube Webmail to version 1.5.14 or 1.6.14 or later"], "summary": {"action": "Apply Patch", "impact": "Injection or CSRF bypass via IMAP SEARCH arguments"}, "threat_synthesis": {"affected_systems": "All installations of Roundcube Webmail earlier than version 1.5.14 or 1.6.14 are affected. The issue impacts every environment that uses these legacy releases, regardless of operating system or deployment method. Versions 1.5.14, 1.6.14, 1.7\u2011rc5, and later contain the fix and are not vulnerable.", "description_and_impact": "Roundcube Webmail accepts IMAP SEARCH command arguments without proper sanitization, which permits an attacker to inject additional IMAP commands or bypass cross\u2011site request forgery protections when performing a mail search. The vulnerability is rooted in an injection weakness (CWE\u201188). The flaw could allow an attacker to attempt unauthorized actions against the IMAP server or the mailbox contents by exploiting the unsanitized input.", "risk_and_exploitability": "The CVSS score is 3.1, indicating a low overall severity. An EPSS score below 1% suggests that real\u2011world exploitation is unlikely, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the webmail interface, where an authenticated user may submit a crafted search query that is transmitted unfiltered to the IMAP server. These conditions are inferred from the description and are not explicitly stated in the source data."}}}}, "created": "2026-04-03T07:31:08.695221+00:00", "updated": "2026-04-08T19:54:24.546133+00:00", "vendors": ["roundcube", "roundcube$PRODUCT$webmail"]}