CVE-2026-35539

Published: Apr 03, 2026 Last Modified: Apr 03, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 6,1
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: required
Scope: changed
Confidentiality: low
Integrity: low
Availability: none

Description

AI Translation Available

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.

79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Stable
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control Confidentiality Integrity Availability
Potential Impacts:
Bypass Protection Mechanism Read Application Data Execute Unauthorized Code Or Commands
Applicable Platforms
Technologies: AI/ML, Web Based, Web Server
Likelihood of Exploit: High
View CWE Details
https://github.com/roundcube/roundcubemail/commit/10a6d1fa8…
https://github.com/roundcube/roundcubemail/commit/10a6d1fa8acac85c727b0a6ae4a66…
https://github.com/roundcube/roundcubemail/commit/1b30edf53…
https://github.com/roundcube/roundcubemail/commit/1b30edf5369668c92fe91dae3d52e…
https://github.com/roundcube/roundcubemail/commit/d742954cc…
https://github.com/roundcube/roundcubemail/commit/d742954ccbcdee7020f8f2e7c49ce…
https://github.com/roundcube/roundcubemail/releases/tag/1.5…
https://github.com/roundcube/roundcubemail/releases/tag/1.5.14
https://github.com/roundcube/roundcubemail/releases/tag/1.6…
https://github.com/roundcube/roundcubemail/releases/tag/1.6.14
https://github.com/roundcube/roundcubemail/releases/tag/1.7…
https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5
https://roundcube.net/news/2026/03/18/security-updates-1.7-…
https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14