9.9

CVE-2025-49113

Warnung
Medienbericht
Exploit
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RoundcubeWebmail Version < 1.5.10
RoundcubeWebmail Version >= 1.6.0 < 1.6.11
DebianDebian Linux Version11.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login

20.02.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog

RoundCube Webmail Deserialization of Untrusted Data Vulnerability

Schwachstelle

RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 89.46% 0.998
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cve@mitre.org 9.9 3.1 6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
08.07.2026 21:20
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
07.07.2026 11:48
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
23.02.2026 08:26
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
09.08.2025 11:36
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
09.08.2025 11:36
https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
Vendor Advisory
https://github.com/roundcube/roundcubemail/pull/9865
Issue Tracking
https://github.com/roundcube/roundcubemail/releases/tag/1.6.11
Release Notes
https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d
Patch
https://github.com/roundcube/roundcubemail/releases/tag/1.5.10
Release Notes
https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695
Patch
https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e
Patch
https://fearsoff.org/research/roundcube
Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/06/02/3
Third Party Advisory
Mailing List
https://lists.debian.org/debian-lts-announce/2025/06/msg00008.html
Third Party Advisory
Mailing List
https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-mitigation-script
Third Party Advisory
Exploit
Mitigation
https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-vulnerability-detection
Third Party Advisory
Exploit
Mitigation
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49113
US Government Resource