CVE-2026-35537
HIGH WAF: Medium
CVSS 7.5
Published: 2026-04-03
CWE-502
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.
WAF Coverage Analysis
Insecure Deserialization
Medium WAF Coverage
OWASP: A08:2021 Software and Data Integrity Failures
944xxx - Java Attack
Affected Software
| Vendor | Product | Version |
|---|---|---|
| roundcube | webmail | up to 1.5.14 |
| roundcube | webmail | 1.6.0 - 1.6.14 |
References
- github.com (Patch)
- github.com (Patch)
- github.com (Patch)
- github.com (Release Notes)
- github.com (Release Notes)
- github.com (Release Notes)
- roundcube.net (Third Party Advisory)
- www.openwall.com (Issue Tracking, Mailing List)