Vulnerability Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Roundcube | Webmail | < 1.5.14 |
Related Weaknesses (CWE)
References
- https://github.com/roundcube/roundcubemail/commit/618c5428edc69fb088e7ac6c89e506Patch
- https://github.com/roundcube/roundcubemail/commit/6d586cfa4d8a31f7957f7a445aaeddPatch
- https://github.com/roundcube/roundcubemail/commit/a4ead994d2f0ea92e4a1603196a197Patch
- https://github.com/roundcube/roundcubemail/releases/tag/1.5.14Release Notes
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.14Release Notes
- https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5Release Notes
- https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14Third Party Advisory
- http://www.openwall.com/lists/oss-security/2026/04/11/6Issue TrackingMailing List
FAQ
What is CVE-2026-35537?
CVE-2026-35537 is a vulnerability with a CVSS score of 3.7 (LOW). An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attac...
How severe is CVE-2026-35537?
CVE-2026-35537 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-35537?
Check the references section above for vendor advisories and patch information. Affected products include: Roundcube Webmail.