Plataforma
roundcube
Componente
roundcube/roundcubemail
Corrigido em
1.5.14
1.6.14
1.7-rc5
CVE-2026-35539 describes a cross-site scripting (XSS) vulnerability discovered in Roundcube Webmail versions prior to 1.5.14 and 1.6.14, and specifically affecting versions up to 1.7-rc4. This vulnerability allows an attacker to inject malicious scripts when a user previews a specially crafted text/html attachment. The vulnerability is fixed in Roundcube Webmail 1.7-rc5.
Successful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the context of the victim's webmail session. This could lead to account takeover, credential theft (via keylogging or phishing), or defacement of the webmail interface. The attacker needs to trick the victim into previewing a malicious attachment, making social engineering a key component of the attack. Given the sensitive nature of webmail accounts (containing email, contacts, and potentially other personal information), the potential impact is significant. The attack vector is attachment preview, which is a common feature, increasing the likelihood of exploitation.
CVE-2026-35539 was published on April 3, 2026. Severity is currently assessed as Medium. Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation of XSS vulnerabilities. There are no immediate reports of active exploitation campaigns targeting this vulnerability, but the widespread use of Roundcube Webmail makes it an attractive target. Monitor security advisories and threat intelligence feeds for updates.
Status do Exploit
EPSS
0.04% (percentil 13%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-35539 is to upgrade Roundcube Webmail to version 1.7-rc5 or later. If immediate upgrading is not possible, consider implementing stricter content security policies (CSP) within Roundcube to limit the execution of inline scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting attachment preview functionality can provide an additional layer of defense. Carefully review and sanitize all incoming attachments before allowing users to preview them.
Actualice Roundcube Webmail a la versión 1.5.14 o 1.6.14 o superior. Esto corrige la sanitización insuficiente de archivos adjuntos HTML en el modo de vista previa, previniendo la ejecución de XSS. La actualización se puede realizar descargando la última versión desde el sitio web oficial de Roundcube y siguiendo las instrucciones de actualización.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-35539 is a cross-site scripting (XSS) vulnerability in Roundcube Webmail versions up to 1.7-rc4. It allows attackers to inject malicious scripts when a user previews a crafted text/html attachment.
You are affected if you are using Roundcube Webmail versions 1.5.14 or earlier, 1.6.14 or earlier, or 1.7-rc4 or earlier. Upgrade to 1.7-rc5 or later to mitigate the risk.
The recommended fix is to upgrade Roundcube Webmail to version 1.7-rc5 or later. As a temporary workaround, implement stricter content security policies (CSP) or use a WAF to block malicious attachment preview requests.
There are currently no confirmed reports of active exploitation campaigns targeting CVE-2026-35539, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the official Roundcube security advisory for CVE-2026-35539 on the Roundcube website: [https://roundcube.net/security/](https://roundcube.net/security/)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.