Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
10.0
RoundCube Webmail Allows Remote Code Execution via Unvalidated Data
Known exploited
Exploitation likelihood: 90%
CVE-2025-49113
CVE-2025-49113
GHSA-8j8w-wwqc-x596
Summary
The RoundCube Webmail application can execute malicious code if an attacker sends a specially crafted email with a URL containing unverified data. This means an attacker could potentially take control of the server. Update to a fixed version of RoundCube to protect your system.
What to do
- Update roundcube roundcubemail to version 1.5.10.
- Update roundcube roundcubemail to version 1.6.11.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| roundcube | webmail | All versions | – |
| roundcube | roundcubemail | <= 1.5.10 | 1.5.10 |
| roundcube | roundcubemail | > 1.6.0 , <= 1.6.11 | 1.6.11 |
| roundcube | webmail | <= 1.5.10 | – |
| roundcube | webmail | > 1.6.0 , <= 1.6.11 | – |
| debian | debian_linux | 11.0 | – |
Original title
RoundCube Webmail Deserialization of Untrusted Data Vulnerability
Original description
RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php.
Vulnerability type
CWE-502
Deserialization of Untrusted Data
- https://nvd.nist.gov/vuln/detail/CVE-2025-49113
- https://github.com/advisories/GHSA-8j8w-wwqc-x596
- https://fearsoff.org/research/roundcube Third Party Advisory
- https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541... Patch
- https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62... Patch
- https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a... Patch
- https://github.com/roundcube/roundcubemail/pull/9865 Issue Tracking
- https://github.com/roundcube/roundcubemail/releases/tag/1.5.10 Release Notes
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.11 Release Notes
- https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 Vendor Advisory
- https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-mitigation-scrip... Exploit Mitigation Third Party Advisory
- https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-vulnerability-de... Exploit Mitigation Third Party Advisory
- http://www.openwall.com/lists/oss-security/2025/06/02/3 Mailing List Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2025/06/msg00008.html Mailing List Third Party Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-... US Government Resource
Published: 20 Feb 2026 · Updated: 15 Mar 2026 · First seen: 6 Mar 2026