This vulnerability affects Roundcube Webmail prior to versions 1.5.14 and 1.6.14. It arises from improper sanitization of IMAP SEARCH command arguments, which could allow an attacker to perform IMAP injection or bypass CSRF protections during mail search operations. The issue is categorized as CWE-88, indicating that argument delimiters are not properly neutralized, potentially enabling injection attacks. The CVSS 3.1 base score is 3.1, with network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality or availability impact, and low integrity impact.

The vulnerability could allow an attacker to inject commands into the IMAP SEARCH function or bypass CSRF protections, potentially manipulating mail search behavior. However, the impact is limited to low integrity impact without confidentiality or availability loss. The low CVSS score reflects limited risk under typical conditions.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or remediation level is provided, users should monitor Roundcube's official channels for updates. Until a fix is available, cautious handling of IMAP SEARCH inputs and restricting access to trusted users may reduce risk.