Skip to content

Commit 227f256

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-8jr8-v43g-5c57 GHSA-rxj3-rrwm-pj4r GHSA-x4q5-8j5g-hpjc
1 parent e932587 commit 227f256

File tree

3 files changed

+87
-12
lines changed

3 files changed

+87
-12
lines changed

advisories/unreviewed/2026/04/GHSA-8jr8-v43g-5c57/GHSA-8jr8-v43g-5c57.json renamed to advisories/github-reviewed/2026/04/GHSA-8jr8-v43g-5c57/GHSA-8jr8-v43g-5c57.json

Lines changed: 29 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,40 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-8jr8-v43g-5c57",
4-
"modified": "2026-04-03T06:31:32Z",
4+
"modified": "2026-04-04T06:50:35Z",
55
"published": "2026-04-03T06:31:32Z",
66
"aliases": [
77
"CVE-2026-35538"
88
],
9+
"summary": "Roundcube Webmail: Unsanitized IMAP SEARCH command arguments",
910
"details": "An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "roundcube/roundcubemail"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "1.7-beta"
29+
},
30+
{
31+
"fixed": "1.7-rc5"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
1738
"references": [
1839
{
1940
"type": "ADVISORY",
@@ -31,6 +52,10 @@
3152
"type": "WEB",
3253
"url": "https://github.com/roundcube/roundcubemail/commit/b18a8fa8e81571914c0ff55d4e20edb459c6952c"
3354
},
55+
{
56+
"type": "PACKAGE",
57+
"url": "https://github.com/roundcube/roundcubemail"
58+
},
3459
{
3560
"type": "WEB",
3661
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.14"
@@ -53,8 +78,8 @@
5378
"CWE-88"
5479
],
5580
"severity": "LOW",
56-
"github_reviewed": false,
57-
"github_reviewed_at": null,
81+
"github_reviewed": true,
82+
"github_reviewed_at": "2026-04-04T06:50:35Z",
5883
"nvd_published_at": "2026-04-03T05:16:21Z"
5984
}
6085
}

advisories/unreviewed/2026/04/GHSA-rxj3-rrwm-pj4r/GHSA-rxj3-rrwm-pj4r.json renamed to advisories/github-reviewed/2026/04/GHSA-rxj3-rrwm-pj4r/GHSA-rxj3-rrwm-pj4r.json

Lines changed: 29 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,40 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-rxj3-rrwm-pj4r",
4-
"modified": "2026-04-03T06:31:32Z",
4+
"modified": "2026-04-04T06:50:14Z",
55
"published": "2026-04-03T06:31:32Z",
66
"aliases": [
77
"CVE-2026-35537"
88
],
9+
"summary": "Roundcube Webmail: Unsafe deserialization in the redis/memcache session handler",
910
"details": "An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "roundcube/roundcubemail"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "1.7-beta"
29+
},
30+
{
31+
"fixed": "1.7-rc5"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
1738
"references": [
1839
{
1940
"type": "ADVISORY",
@@ -31,6 +52,10 @@
3152
"type": "WEB",
3253
"url": "https://github.com/roundcube/roundcubemail/commit/a4ead994d2f0ea92e4a1603196a197e0d5df1620"
3354
},
55+
{
56+
"type": "PACKAGE",
57+
"url": "https://github.com/roundcube/roundcubemail"
58+
},
3459
{
3560
"type": "WEB",
3661
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.14"
@@ -53,8 +78,8 @@
5378
"CWE-502"
5479
],
5580
"severity": "LOW",
56-
"github_reviewed": false,
57-
"github_reviewed_at": null,
81+
"github_reviewed": true,
82+
"github_reviewed_at": "2026-04-04T06:50:14Z",
5883
"nvd_published_at": "2026-04-03T04:17:10Z"
5984
}
6085
}

advisories/unreviewed/2026/04/GHSA-x4q5-8j5g-hpjc/GHSA-x4q5-8j5g-hpjc.json renamed to advisories/github-reviewed/2026/04/GHSA-x4q5-8j5g-hpjc/GHSA-x4q5-8j5g-hpjc.json

Lines changed: 29 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,40 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-x4q5-8j5g-hpjc",
4-
"modified": "2026-04-03T06:31:32Z",
4+
"modified": "2026-04-04T06:50:55Z",
55
"published": "2026-04-03T06:31:32Z",
66
"aliases": [
77
"CVE-2026-35539"
88
],
9+
"summary": "Roundcube Webmail: Insufficient HTML attachment sanitization in preview mode",
910
"details": "An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "roundcube/roundcubemail"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "1.7-beta"
29+
},
30+
{
31+
"fixed": "1.7-rc5"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
1738
"references": [
1839
{
1940
"type": "ADVISORY",
@@ -31,6 +52,10 @@
3152
"type": "WEB",
3253
"url": "https://github.com/roundcube/roundcubemail/commit/d742954ccbcdee7020f8f2e7c49ce0fca5a0efab"
3354
},
55+
{
56+
"type": "PACKAGE",
57+
"url": "https://github.com/roundcube/roundcubemail"
58+
},
3459
{
3560
"type": "WEB",
3661
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.14"
@@ -53,8 +78,8 @@
5378
"CWE-79"
5479
],
5580
"severity": "MODERATE",
56-
"github_reviewed": false,
57-
"github_reviewed_at": null,
81+
"github_reviewed": true,
82+
"github_reviewed_at": "2026-04-04T06:50:55Z",
5883
"nvd_published_at": "2026-04-03T05:16:21Z"
5984
}
6085
}

0 commit comments

Comments
 (0)