CVE-2025-49113

CVSS v3.1

9.9

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Roundcube versions prior to 1.5.10 and 1.6.x prior to 1.6.11

Description Roundcube Webmail contains a PHP Object Deserialization vulnerability in the from parameter of a URL, potentially allowing a remote attacker to execute arbitrary code. This vulnerability (CVE-2025-49113) has a CVSS score of 9.9 and is actively being exploited. Over 84,000 servers are estimated to be vulnerable, with reports of exploitation occurring in the wild and proof-of-concept exploits publicly available. The vulnerability allows authenticated users to execute code, and has been observed being exploited by threat actors. The vulnerability has been present for approximately 10 years.

Recommendations Update Roundcube to version 1.5.10 or later, or to version 1.6.11 or later.

Exploit

Fix

RCE

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

ALT-PU-2025-8283

BDU:2025-06366

CVE-2025-49113

DLA-4211-1

DSA-5934-1

GHSA-8J8W-WWQC-X596

MGASA-2025-0185

USN-7584-1

Affected Products

Alt Linux

Debian

Linuxmint

Red Os

Roundcube Webmail

Ubuntu

CVE-2025-49113

Weakness Enumeration

Related Identifiers

Affected Products

References · 298