CVE-2026-35537

CVSS v3.1

3.7

Low

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2026-35537

Affected Products

Webmail

CVE-2026-35537

Weakness Enumeration

Related Identifiers

Affected Products

References · 8