Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.7
Roundcube Webmail: Unauthenticated attackers can write arbitrary files
CVE-2026-35537
Summary
This security issue affects older versions of Roundcube Webmail. An attacker could potentially write files on your server without being authenticated, which could lead to data loss or damage. Update to Roundcube Webmail 1.5.14 or 1.6.14 to fix the issue.
Original title
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated at...
Original description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.
nvd CVSS3.1
3.7
Vulnerability type
CWE-502
Deserialization of Untrusted Data
- https://github.com/roundcube/roundcubemail/commit/618c5428edc69fb088e7ac6c89e506...
- https://github.com/roundcube/roundcubemail/commit/6d586cfa4d8a31f7957f7a445aaedd...
- https://github.com/roundcube/roundcubemail/commit/a4ead994d2f0ea92e4a1603196a197...
- https://github.com/roundcube/roundcubemail/releases/tag/1.5.14
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.14
- https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5
- https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026