Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.
AnalysisAI
Unsafe deserialization in Roundcube Webmail's Redis/Memcache session handler allows unauthenticated remote attackers to write arbitrary files by crafting malicious session data. Affected versions include all 1.6.x before 1.6.14 and all 1.5.x before 1.5.14. While the CVSS score of 3.7 is low and attack complexity is high, the integrity impact (arbitrary file write) poses a real risk to instances using Redis or Memcache for session storage.
Technical ContextAI
Roundcube Webmail uses Redis and Memcache as optional session storage backends for distributed deployments. The vulnerability stems from unsafe PHP object deserialization (CWE-502) in the session handler code, where attacker-controlled serialized data from the cache layer is deserialized without proper validation. An attacker can craft malicious serialized PHP objects that exploit PHP's object deserialization mechanism to trigger arbitrary file write operations through gadget chains or custom classes, even without authentication. This attack vector requires the attacker to have write access to the session store itself (or ability to intercept/modify cache data), which typically means network access to the unprotected Redis/Memcache port or a man-in-the-middle position.
RemediationAI
Upgrade Roundcube Webmail to version 1.5.14 or later (1.6.14 for the 1.6 branch, or 1.7-rc5 for bleeding-edge). Vendor-released patches are available at https://github.com/roundcube/roundcubemail/releases/tag/1.6.14 and https://github.com/roundcube/roundcubemail/releases/tag/1.5.14. As an interim mitigation, restrict network access to Redis and Memcache ports to trusted hosts only, enforce authentication on cache backends with strong credentials, and monitor for unusual serialized data in cache logs. The official advisory is available at https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14.
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild i
UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific
Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10,
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user
Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.
A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. Rated cr
Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.
In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerab
An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability
An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4
goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.v
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18575
GHSA-rxj3-rrwm-pj4r