CVE-2025-49113 | THREATINT

Description

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

PUBLISHED Reserved 2025-06-02 | Published 2025-06-02 | Updated 2026-02-20 | Assigner mitre

CRITICAL: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA Known Exploited Vulnerability

Date added 2026-02-20 | Due date 2026-03-13

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

Default status

unaffected

Any version before 1.5.10

affected

1.6.0 (semver) before 1.6.11

affected

References

www.cisa.gov/...erabilities-catalog?field_cve=CVE-2025-49113 government-resource

www.openwall.com/lists/oss-security/2025/06/02/3

lists.debian.org/debian-lts-announce/2025/06/msg00008.html

roundcube.net/...25/06/01/security-updates-1.6.11-and-1.5.10

github.com/roundcube/roundcubemail/pull/9865

github.com/roundcube/roundcubemail/releases/tag/1.6.11

github.com/...ommit/0376f69e958a8fef7f6f09e352c541b4e7729c4d

github.com/roundcube/roundcubemail/releases/tag/1.5.10

github.com/...ommit/7408f31379666124a39f9cb1018f62bc5e2dc695

github.com/...ommit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e

fearsoff.org/research/roundcube

www.vicarius.io/...5-49113-roundcube-vulnerability-detection

www.vicarius.io/...ve-2025-49113-roundcube-mitigation-script

cve.org (CVE-2025-49113)

nvd.nist.gov (CVE-2025-49113)

Download JSON

help @ threatint.eu