Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.1
Roundcube Webmail search function allows attackers to inject malicious commands
CVE-2026-35538
Summary
A security issue in Roundcube Webmail allows an attacker to potentially inject malicious commands or bypass security checks when searching emails. This could be used to hijack user sessions or steal sensitive information. To fix this, update to Roundcube Webmail version 1.5.14 or 1.6.14 or later.
Original title
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
Original description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
nvd CVSS3.1
3.1
Vulnerability type
CWE-88
- https://github.com/roundcube/roundcubemail/commit/5fe8a69956a9683a4269f3ad2a68e1...
- https://github.com/roundcube/roundcubemail/commit/7daf5aa9c190ccc75bb31672d8fee9...
- https://github.com/roundcube/roundcubemail/commit/b18a8fa8e81571914c0ff55d4e20ed...
- https://github.com/roundcube/roundcubemail/releases/tag/1.5.14
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.14
- https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5
- https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026