CVE-2026-35541

MEDIUM EPSS 15.3%
Published Apr 3, 20262mo ago · Modified Jun 17, 20262w ago
4.2 CVSS 3.1
Medium
Find Similar
Published Apr 3, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.

CVSS Details

Base Score
4.2
Exploitability
1.6
Impact
2.5
Vector string
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
15.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-843

Affected Products 2

VendorProductVersionRange
roundcubewebmail* <1.5.14
roundcubewebmail*≥1.6.0  –  <1.6.14

References 7

  • github.com https://github.com/roundcube/roundcubemail/commit/2e6a99b2a38110907ea8d3be8e59ec3d5802c394
    Patch
  • github.com https://github.com/roundcube/roundcubemail/commit/6a275676a8043083c05c961914d830b79e2490d4
    Patch
  • github.com https://github.com/roundcube/roundcubemail/commit/6fa2bddc59b9c9fd31cad4a9e2954a208d793dce
    Patch
  • github.com https://github.com/roundcube/roundcubemail/releases/tag/1.5.14
    Release Notes
  • github.com https://github.com/roundcube/roundcubemail/releases/tag/1.6.14
    Release Notes
  • github.com https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5
    Release Notes
  • roundcube.net https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
    Vendor Advisory

Remediation

  • github.com https://github.com/roundcube/roundcubemail/commit/2e6a99b2a38110907ea8d3be8e59ec3d5802c394
    Patch
  • github.com https://github.com/roundcube/roundcubemail/commit/6a275676a8043083c05c961914d830b79e2490d4
    Patch
  • github.com https://github.com/roundcube/roundcubemail/commit/6fa2bddc59b9c9fd31cad4a9e2954a208d793dce
    Patch