CVE-2026-62644
MEDIUM SEVERITYCVSS Score & Metrics
Base Score
6.4 / 10
Vector String
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Vulnerability Description
In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, the password plugin of the Roundcube Webmail was subject to username spoofing via session data, which could lead to account takeover.
Vulnerability Details
Published Date
Last Modified
CWE ID
CWE-290
Source
NVD
Vendor
Roundcube
Product
Webmail
External References
- https://github.com/roundcube/roundcubemail/commit/5cdc6a48b40beabff7f0bf5d9035f4491e877e4c
- https://github.com/roundcube/roundcubemail/commit/7414fef51cd2407d39faab99680763f10ed5231d
- https://github.com/roundcube/roundcubemail/commit/83150ce04d689a70f92d511bcae40adba8d55476
- https://github.com/roundcube/roundcubemail/commit/9a96c20d8c7c9135876b68bebd6960af3ee60923
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.17
- https://github.com/roundcube/roundcubemail/releases/tag/1.7.2
- https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2
Discussion (0)
Add Comment
No comments yet. Be the first!