{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35539", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-03T03:39:16.997Z", "datePublished": "2026-04-03T03:39:17.400Z", "dateUpdated": "2026-04-03T13:10:55.717Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Webmail", "vendor": "Roundcube", "versions": [{"lessThan": "1.5.14", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "1.6.14", "status": "affected", "version": "1.6.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-03T03:39:17.400Z"}, "references": [{"url": "https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5"}, {"url": "https://github.com/roundcube/roundcubemail/commit/1b30edf5369668c92fe91dae3d52e477c808aa4f"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.14"}, {"url": "https://github.com/roundcube/roundcubemail/commit/10a6d1fa8acac85c727b0a6ae4a6642bfa27bea1"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.14"}, {"url": "https://github.com/roundcube/roundcubemail/commit/d742954ccbcdee7020f8f2e7c49ce0fca5a0efab"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T13:10:48.319229Z", "id": "CVE-2026-35539", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:10:55.717Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35539", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-03T03:39:16.997Z", "datePublished": "2026-04-03T03:39:17.400Z", "dateUpdated": "2026-04-03T13:10:55.717Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Webmail", "vendor": "Roundcube", "versions": [{"lessThan": "1.5.14", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "1.6.14", "status": "affected", "version": "1.6.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-03T03:39:17.400Z"}, "references": [{"url": "https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5"}, {"url": "https://github.com/roundcube/roundcubemail/commit/1b30edf5369668c92fe91dae3d52e477c808aa4f"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.14"}, {"url": "https://github.com/roundcube/roundcubemail/commit/10a6d1fa8acac85c727b0a6ae4a6642bfa27bea1"}, {"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.14"}, {"url": "https://github.com/roundcube/roundcubemail/commit/d742954ccbcdee7020f8f2e7c49ce0fca5a0efab"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35539", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T13:10:48.319229Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:10:52.287Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "matchCriteriaId": "40F75FD7-CF6D-4DC4-A33D-625D0F02FAB3", "versionEndExcluding": "1.5.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "matchCriteriaId": "AF4B6448-D4F5-4680-B32C-9366630E9485", "versionEndExcluding": "1.6.14", "versionStartIncluding": "1.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment."}], "id": "CVE-2026-35539", "lastModified": "2026-04-07T20:53:07.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-03T05:16:21.920", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/roundcube/roundcubemail/commit/10a6d1fa8acac85c727b0a6ae4a6642bfa27bea1"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/roundcube/roundcubemail/commit/1b30edf5369668c92fe91dae3d52e477c808aa4f"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/roundcube/roundcubemail/commit/d742954ccbcdee7020f8f2e7c49ce0fca5a0efab"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.14"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.14"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.14)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.6.0,1.6.14)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Webmail", "source": "cna", "vendor": "Roundcube"}, "product": "webmail", "vendor": "roundcube"}], "analysis": {"en": {"generated_at": "2026-04-07T23:54:08.464672+00:00", "value": {"mitigation_remediation": ["Upgrade Roundcube Webmail to version 1.5.14, 1.6.14, or a later release such as 1.7\u2011rc5 or newer from the vendor\u2019s official release channel.", "If an immediate upgrade is not possible, disable the HTML attachment preview feature in the webmail configuration to prevent rendering of potentially unsafe content.", "Monitor email traffic for unexpected HTML attachments and block them or warn users about suspicious attachments before previewing."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of Roundcube Webmail that are running software versions older than 1.5.14 and 1.6.14 are affected. Users who have not upgraded to the patched releases introduced in the 1.5.14, 1.6.14, or later 1.7\u2011rc5 releases are at risk. The vulnerability applies to any deployment where the webmail client can render HTML attachments in preview mode.", "description_and_impact": "Roundcube Webmail versions prior to 1.5.14 and 1.6.14 allow a malicious user to inject JavaScript by delivering an HTML attachment that the webmail interface will preview without proper sanitization. When a victim opens the preview, the embedded script runs in the victim\u2019s browser context, enabling the attacker to steal session cookies, deface the interface, or otherwise compromise the user\u2019s browser session. This weakness maps to CWE\u201179, an injection flaw that allows arbitrary client\u2011side code execution.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a moderate severity impact on confidentiality and integrity. The EPSS score of less than 1% suggests that exploitation of this flaw is unlikely to be broadly observed in the wild. The vulnerability is not listed in the CISA KEV catalog, indicating no confirmed active exploits as of the data snapshot. The likely attack vector is client\u2011side: the attacker must embed malicious content in an email attachment and persuade, or trick, a user to preview the attachment; once the preview is rendered, the script will execute within the victim\u2019s browser."}}}}, "created": "2026-04-03T08:57:51.650516+00:00", "updated": "2026-04-08T19:54:23.403904+00:00", "vendors": ["roundcube", "roundcube$PRODUCT$webmail"]}