Description

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.

INFO

Published Date :

2026-04-03T03:28:29.321Z

Last Modified :

2026-04-03T03:28:29.321Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35537 vulnerability.

Vendors Products
Roundcube
  • Webmail
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35537.

URL Resource
https://github.com/roundcube/roundcubemail/commit/618c5428edc69fb088e7ac6c89e506dd39df3 cve-icon cve-icon
https://github.com/roundcube/roundcubemail/commit/6d586cfa4d8a31f7957f7a445aaedd52592a0e74 cve-icon cve-icon
https://github.com/roundcube/roundcubemail/commit/a4ead994d2f0ea92e4a1603196a197e0d5df1620 cve-icon cve-icon
https://github.com/roundcube/roundcubemail/releases/tag/1.5.14 cve-icon cve-icon
https://github.com/roundcube/roundcubemail/releases/tag/1.6.14 cve-icon cve-icon
https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5 cve-icon cve-icon
https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact