What is the CVSS score of CVE-2026-35544?

CVE-2026-35544 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-35544?

Yes, a patch is available for CVE-2026-35544. Update the affected software to the latest version immediately.

Webmail CVE-2026-35544

EUVD-2026-18591 MEDIUM

Incorrect Resource Transfer Between Spheres (CWE-669)

2026-04-03 mitre

GHSA-xpqh-grpw-4xmg

Authentication Bypass Webmail

5.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

5.3 MEDIUM

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

Patch released

Apr 04, 2026 - 08:30 nvd

Patch available

EUVD ID Assigned

Apr 03, 2026 - 04:30 euvd

EUVD-2026-18591

Analysis Generated

Apr 03, 2026 - 04:30 vuln.today

CVE Published

Apr 03, 2026 - 03:59 nvd

MEDIUM 5.3

DescriptionCVE.org

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important.

AnalysisAI

Roundcube Webmail before versions 1.5.14 and 1.6.14 allows unauthenticated remote attackers to bypass CSS-based security mitigations in HTML email rendering by injecting !important declarations, enabling potential integrity attacks such as phishing or UI redressing. The vulnerability stems from insufficient CSS sanitization when processing HTML email messages, with no authentication required and minimal attack complexity.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	This vulnerability presents moderate real-world risk despite its modest CVSS score of 5.3. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker crafts a malicious HTML email containing CSS rules with !important declarations designed to override Roundcube's fixed-position security overlays. When a victim opens this email in Roundcube Webmail, the malicious CSS renders a fake login form or warning dialog on top of the legitimate email content, deceiving the user into clicking a phishing link or submitting credentials. …
Remediation	Vendor-released patches are available for all affected versions: upgrade to Roundcube Webmail 1.5.14 or later in the 1.5.x branch, or 1.6.14 or later in the 1.6.x branch. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-35544 vulnerability details – vuln.today

Back

Webmail CVE-2026-35544

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Share

External POC / Exploit Code