CVE-2026-35539 — Roundcube Webmail: Insufficient HTML attachment sanitization in preview mode

Description

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.

How to fix CVE-2026-35539

To remediate CVE-2026-35539, upgrade the affected package to a fixed version below.

Debian/roundcube—upgrade to 1.4.15+dfsg.1-1+deb11u8 or later
—upgrade to 1.7-rc5 or later

Is CVE-2026-35539 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.4.15+dfsg.1-1+deb11u8
>= 1.7-beta, < 1.7-rc5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-35539
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-35539
PATCHgithub.com/roundcube/roundcubemail
WEBgithub.com/roundcube/roundcubemail/commit/10a6d1fa8acac85c727b0a6ae4a6642bfa27bea1