{"id":"CVE-2026-35538","details":"An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.","aliases":["GHSA-8jr8-v43g-5c57"],"modified":"2026-07-15T01:49:06.839572692Z","published":"2026-04-03T03:35:36.925Z","database_specific":{"cna_assigner":"mitre","cwe_ids":["CWE-88"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35538.json"},"references":[{"type":"WEB","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.5.14"},{"type":"WEB","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.6.14"},{"type":"WEB","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5"},{"type":"WEB","url":"https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35538.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35538"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/commit/5fe8a69956a9683a4269f3ad2a68e18deebf8a15"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/commit/7daf5aa9c190ccc75bb31672d8fee9938877fd64"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/commit/b18a8fa8e81571914c0ff55d4e20edb459c6952c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/roundcube/roundcubemail","events":[{"introduced":"0"},{"fixed":"d742954ccbcdee7020f8f2e7c49ce0fca5a0efab"},{"introduced":"993b888afe29c383bf45c84f17090f4db96367ba"},{"fixed":"27ec6cc9cb25e1ef8b4d4ef39ce76d619caa6870"},{"fixed":"5fe8a69956a9683a4269f3ad2a68e18deebf8a15"},{"fixed":"7daf5aa9c190ccc75bb31672d8fee9938877fd64"},{"fixed":"b18a8fa8e81571914c0ff55d4e20edb459c6952c"},{"fixed":"8e4a99b0746577c2928f5ae984b3ab533b970ca0"}],"database_specific":{"cpe":"cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"1.5.14"},{"introduced":"1.6.0"},{"fixed":"1.6.14"}],"source":["CPE_RANGE","REFERENCES"]}}],"versions":["1.7-rc4","1.5.13","1.6.13","1.7-rc3","1.7-rc2","1.5.12","1.6.12","1.7-rc","1.5.11","1.7-beta2","1.7-beta","1.5.10","1.6.11","1.6.10","1.5.9","1.6.9","1.5.8","1.6.8","1.5.7","1.6.7","1.6.6","1.5.6","1.6.5","1.5.5","1.6.4","1.6.3","1.5.4","1.6.2","1.6.1","1.5.3","1.6.0","1.6-beta","1.5.2","1.5.1","1.5.0","1.5-rc","1.5-beta","1.4-rc2","1.4-rc1","1.4-beta","1.3-beta","1.2-rc","1.2-beta","1.1.0","1.1-rc","1.1-beta","v0.1-beta2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35538.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"}]}