What is the CVSS score of CVE-2026-35538?

CVE-2026-35538 has a CVSS 3.1 base score of 3.1 (Low). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-35538?

Yes, a patch is available for CVE-2026-35538. Update the affected software to the latest version immediately.

Webmail CVE-2026-35538

EUVD-2026-18579 LOW

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)

2026-04-03 mitre

GHSA-8jr8-v43g-5c57

CSRF Webmail

3.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

3.1 LOW

AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

Patch released

Apr 04, 2026 - 08:30 nvd

Patch available

EUVD ID Assigned

Apr 03, 2026 - 04:30 euvd

EUVD-2026-18579

Analysis Generated

Apr 03, 2026 - 04:30 vuln.today

CVE Published

Apr 03, 2026 - 03:35 nvd

LOW 3.1

DescriptionCVE.org

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.

AnalysisAI

Roundcube Webmail before versions 1.5.14 and 1.6.14 allows authenticated remote attackers to conduct IMAP injection attacks or bypass CSRF protections via unsanitized IMAP SEARCH command arguments. The vulnerability requires user interaction (high complexity) and authenticated access, resulting in limited integrity impact without confidentiality or availability compromise. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The risk profile is moderate-to-low despite the CVSS score of 3.1 (Low severity). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated Roundcube user receives a phishing email containing a crafted link that, when clicked while logged into Roundcube, injects IMAP commands into a background mail search request. Alternatively, an attacker with legitimate Roundcube account access manually injects IMAP protocol sequences into the search form to manipulate mail retrieval or trigger unintended server-side behavior. …
Remediation	Administrators must upgrade Roundcube Webmail to version 1.5.14 or later in the 1.5.x branch, or version 1.6.14 or later in the 1.6.x branch. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-35538 vulnerability details – vuln.today

Back

Webmail CVE-2026-35538

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Share

External POC / Exploit Code