CVE-2026-35537 LOW

CVE-2026-35537

Vendor Roundcube
Product Webmail
Weakness CWE-502 · Unsafe deserialization
Published April 3, 2026
Last update April 11, 2026

CVSS base score

3.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.

Key dates

02Disclosure timeline

April 3, 2026 CVE published
April 11, 2026 Record updated