CVE-2026-35541
MEDIUM
NVD
CVSS Score
4.2
Severity
MEDIUM
Published
Apr 03, 2026
Vendor
unknown
Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.
References
- https://github.com/roundcube/roundcubemail/commit/2e6a99b2a38110907ea8d3be8e59ec3d5802c394
- https://github.com/roundcube/roundcubemail/commit/6a275676a8043083c05c961914d830b79e2490d4
- https://github.com/roundcube/roundcubemail/commit/6fa2bddc59b9c9fd31cad4a9e2954a208d793dce
- https://github.com/roundcube/roundcubemail/releases/tag/1.5.14
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.14