CVE-2026-35539

CVE-2026-35539 affects Roundcube Webmail prior to 1.5.14 and 1.6.14. The issue is an XSS vulnerability caused by insufficient HTML attachment sanitization in preview mode; a user must preview a text/html attachment for exploitation. The vulnerability is limited to scenarios where a victim preview...

CVE-2026-35539

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment...

CVE-2026-35539

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment...

CVE-2026-35539

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment...

CVE-2026-35538

This CVE affects Roundcube Webmail prior to 1.5.14 and prior to 1.6.14. The issue is unsanitized IMAP SEARCH arguments that can lead to IMAP injection or CSRF bypass during mail search. The connected sources indicate fixed releases: Roundcube 1.5.14 and 1.6.14 (and related security updates), so u...

CVE-2026-35538

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search...

CVE-2026-35538

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search...

CVE-2026-35538

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search...

CVE-2026-35537

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data...

CVE-2026-35537

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data...

CVE-2026-35537

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data...

CVE-2026-35537

The CVE-2026-35537 vulnerability affects Roundcube Webmail prior to 1.5.14 and 1.6.14, where unsafe deserialization in the redis/memcache session handler can allow unauthenticated attackers to perform arbitrary file writes via crafted session data. Several advisories confirm this issue and refere...

PT-2026-29980

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password...

PT-2026-29982

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content with animate attributes in an e-mail message. This may lead to information disclosure or access-control bypass...

PT-2026-29978

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment...

PT-2026-29975

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data...

PT-2026-29983

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets CSS sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important...

Roundcube Webmail 跨站脚本漏洞

Roundcube Webmail is an open-source browser-based IMAP client developed by Roundcube. It supports address book management, information search, spelling checking, etc. Versions of Roundcube Webmail prior to 1.5.14 and 1.6.14 had a cross-site scripting vulnerability. This vulnerability stemmed from...

Roundcube Webmail 安全漏洞

Roundcube Webmail is an open-source browser-based IMAP client developed by Roundcube. It supports address book management, information search, spelling checking, and more. Versions of Roundcube Webmail prior to 1.5.14 and 1.6.14 contained security vulnerabilities. These vulnerabilities stemmed fr...

Roundcube Webmail 安全漏洞

Roundcube Webmail is an open-source browser-based IMAP client developed by Roundcube. It supports address book management, information search, spelling checking, and more. Versions of Roundcube Webmail from 1.6.0 to 1.6.14 contained security vulnerabilities. These vulnerabilities were caused by...