CVE-2026-35541

4.2 MEDIUM
Published: April 03, 2026 Modified: April 07, 2026
View on NVD

Description

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/roundcube/roundcubemail/commit/2e6a99b2a38110907ea8d3be8e59ec3d5802c394
Source: cve@mitre.org
Patch
https://github.com/roundcube/roundcubemail/commit/6a275676a8043083c05c961914d830b79e2490d4
Source: cve@mitre.org
Patch
https://github.com/roundcube/roundcubemail/commit/6fa2bddc59b9c9fd31cad4a9e2954a208d793dce
Source: cve@mitre.org
Patch
https://github.com/roundcube/roundcubemail/releases/tag/1.5.14
Source: cve@mitre.org
Release Notes
https://github.com/roundcube/roundcubemail/releases/tag/1.6.14
Source: cve@mitre.org
Release Notes
https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5
Source: cve@mitre.org
Release Notes
https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
Source: cve@mitre.org
Vendor Advisory

7 reference(s) from NVD

Quick Stats

CVSS v3 Score
4.2 / 10.0
EPSS (Exploit Probability)
0.0%
11th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-843

Affected Vendors

roundcube

Related CVEs

CVE-2026-6560 8.8
CVE-2026-6559 4.3
CVE-2026-0868 6.4
CVE-2026-6056 N/A
CVE-2026-41242 N/A