CVE-2026-35541PATCHED

roundcube · webmail

CVE-2026-35541: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plu

Description

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.

Affected Products

Vendor	Product	Versions
roundcube	webmail	composer/roundcube/roundcubemail: >= 1.7-beta, < 1.7-rc5

References

Related News (1 articles)

Tier C

VulDB2d ago

CVE-2026-35541 | Roundcube Webmail up to 1.5.13/1.6.13 Password Plugin type confusion

→ No new info (linked only)

CVSS 3.14.2 MEDIUM

VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

roundcube/roundcubemail@1.7-rc5

CWECWE-843

PublishedApr 3, 2026

Last enriched2d agov2

Trending Score15

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-35544EXP

CVE-2026-35544: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitiz

Trending: 45

MEDIUMCVE-2026-35542EXP

CVE-2026-35542: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed

Trending: 35

MEDIUMCVE-2026-35540EXP

CVE-2026-35540: An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization

Trending: 28

MEDIUMCVE-2026-35543

CVE-2026-35543: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed

Trending: 23

MEDIUMCVE-2026-35545

CVE-2026-35545: An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed

Trending: 23

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 3, 2026

Discovered by ZDM

Apr 3, 2026

Updated: affectedVersions

Apr 3, 2026

Patch Available

Apr 3, 2026

Version History

Last enriched 2d ago

v2Tier C2d ago

Updated affected versions to 1.5.13 and 1.6.13, and corrected exploit availability to false.

affectedVersions

via VulDB

v12d ago

Initial creation