Unsafe Deserialization in Roundcube Webmail by Roundcube
CVE-2026-35537

3.7LOW

Key Information:

Vendor: Roundcube
Status: Webmail
Vendor: CVE Published:; 3 April 2026

What is CVE-2026-35537?

An unsafe deserialization issue was identified in Roundcube Webmail prior to version 1.5.14 and 1.6.14, allowing unauthenticated attackers to manipulate session data. This could lead to arbitrary file writes, posing significant security risks to the integrity and confidentiality of server data. Users are encouraged to upgrade to the latest versions to mitigate this vulnerability effectively.

Affected Version(s)

Webmail 0 < 1.5.14

Webmail 1.6.0 < 1.6.14

References

https://roundcube.net/news/2026/03/18/security-updates-1....

https://github.com/roundcube/roundcubemail/releases/tag/1...

https://github.com/roundcube/roundcubemail/commit/6d586cf...

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2026
Vulnerability Reserved
Apr 3, 2026

CVE-2026-35537 Data

JSON