Skip to content

Commit d64c7e7

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-46pv-mj2g-93gh GHSA-vxg2-hhgr-37fx
1 parent 227f256 commit d64c7e7

File tree

2 files changed

+60
-9
lines changed

2 files changed

+60
-9
lines changed

advisories/unreviewed/2026/04/GHSA-46pv-mj2g-93gh/GHSA-46pv-mj2g-93gh.json renamed to advisories/github-reviewed/2026/04/GHSA-46pv-mj2g-93gh/GHSA-46pv-mj2g-93gh.json

Lines changed: 29 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,40 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-46pv-mj2g-93gh",
4-
"modified": "2026-04-03T06:31:32Z",
4+
"modified": "2026-04-04T06:54:24Z",
55
"published": "2026-04-03T06:31:32Z",
66
"aliases": [
77
"CVE-2026-35541"
88
],
9+
"summary": "Roundcube Webmail: Incorrect password comparison in the password plugin",
910
"details": "An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "roundcube/roundcubemail"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "1.7-beta"
29+
},
30+
{
31+
"fixed": "1.7-rc5"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
1738
"references": [
1839
{
1940
"type": "ADVISORY",
@@ -31,6 +52,10 @@
3152
"type": "WEB",
3253
"url": "https://github.com/roundcube/roundcubemail/commit/6fa2bddc59b9c9fd31cad4a9e2954a208d793dce"
3354
},
55+
{
56+
"type": "PACKAGE",
57+
"url": "https://github.com/roundcube/roundcubemail"
58+
},
3459
{
3560
"type": "WEB",
3661
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.14"
@@ -53,8 +78,8 @@
5378
"CWE-843"
5479
],
5580
"severity": "MODERATE",
56-
"github_reviewed": false,
57-
"github_reviewed_at": null,
81+
"github_reviewed": true,
82+
"github_reviewed_at": "2026-04-04T06:54:24Z",
5883
"nvd_published_at": "2026-04-03T05:16:22Z"
5984
}
6085
}

advisories/unreviewed/2026/04/GHSA-vxg2-hhgr-37fx/GHSA-vxg2-hhgr-37fx.json renamed to advisories/github-reviewed/2026/04/GHSA-vxg2-hhgr-37fx/GHSA-vxg2-hhgr-37fx.json

Lines changed: 31 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,40 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-vxg2-hhgr-37fx",
4-
"modified": "2026-04-03T06:31:32Z",
4+
"modified": "2026-04-04T06:53:55Z",
55
"published": "2026-04-03T06:31:32Z",
66
"aliases": [
77
"CVE-2026-35540"
88
],
9+
"summary": "Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages",
910
"details": "An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "roundcube/roundcubemail"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "1.7-beta"
29+
},
30+
{
31+
"fixed": "1.7-rc5"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
1738
"references": [
1839
{
1940
"type": "ADVISORY",
@@ -27,6 +48,10 @@
2748
"type": "WEB",
2849
"url": "https://github.com/roundcube/roundcubemail/commit/579b68eff90650a5c782e153debd66c765648942"
2950
},
51+
{
52+
"type": "PACKAGE",
53+
"url": "https://github.com/roundcube/roundcubemail"
54+
},
3055
{
3156
"type": "WEB",
3257
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.14"
@@ -42,11 +67,12 @@
4267
],
4368
"database_specific": {
4469
"cwe_ids": [
45-
"CWE-669"
70+
"CWE-669",
71+
"CWE-918"
4672
],
4773
"severity": "MODERATE",
48-
"github_reviewed": false,
49-
"github_reviewed_at": null,
74+
"github_reviewed": true,
75+
"github_reviewed_at": "2026-04-04T06:53:55Z",
5076
"nvd_published_at": "2026-04-03T05:16:22Z"
5177
}
5278
}

0 commit comments

Comments
 (0)