**Name of the Vulnerable Software and Affected Versions:** Roundcube versions 1.1.0 through 1.6.10

**Description:**

Roundcube Webmail contains a PHP Object Deserialization vulnerability in the ` from` parameter within the `upload.php` script. This allows authenticated attackers to execute arbitrary code on the server. The vulnerability has been actively exploited, with a proof-of-concept (PoC) available and reports of exploitation in the wild. Over 84,000 systems are estimated to be vulnerable. The vulnerability has been present for approximately 10 years and impacts systems running Roundcube with default configurations in environments like cPanel, Plesk, and ISPConfig.

**Recommendations:**

Update Roundcube to version 1.5.10 or 1.6.11, or later, as soon as possible. Audit server logs for suspicious activity related to the `/upload.php` endpoint. Consider temporarily disabling file upload functionality until the update can be applied.