CVE-2025-49113

critical

Description

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

References

References
More

https://securityaffairs.com/178615/hacking/roundcube-webmail-under-fire-critical-exploit-found-after-a-decade.html

https://thehackernews.com/2025/06/critical-10-year-old-roundcube-webmail.html

https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10

https://github.com/roundcube/roundcubemail/releases/tag/1.6.11

https://github.com/roundcube/roundcubemail/releases/tag/1.5.10

https://github.com/roundcube/roundcubemail/pull/9865

https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e

https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695

https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d

https://fearsoff.org/research/roundcube

http://www.openwall.com/lists/oss-security/2025/06/02/3

Details

Source: Mitre, NVD

Published: 2025-06-02

Updated: 2025-06-02

Risk Information

CVSS v2

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 9.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00567

Vulnerability Watch

Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.

Vulnerability Being Monitored

Detections

Analytics