CVE-2025-49113

CVSS v3.1

9.9

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Roundcube versions prior to 1.6.11

Description Roundcube Webmail is vulnerable to a remote code execution (RCE) vulnerability (CVE-2025-49113) due to improper validation of the

 from

parameter in a URL. This allows authenticated attackers to execute arbitrary code via PHP object deserialization. The vulnerability has been actively exploited, with a proof-of-concept (PoC) exploit available. Over 84,000 instances are estimated to be vulnerable. The vulnerability affects versions 1.1.0 through 1.6.10 and has been present for approximately 10 years. Exploitation can lead to full system compromise.

Recommendations Update Roundcube to version 1.6.11 or later.

Exploit

Fix

RCE

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

ALT-PU-2019-3109

ALT-PU-2020-1898

ALT-PU-2020-2367

ALT-PU-2025-1825

ALT-PU-2025-8283

BDU:2025-06366

CVE-2025-49113

DLA-4211-1

DSA-5934-1

GHSA-8J8W-WWQC-X596

MGASA-2025-0185

USN-7584-1

Affected Products

Alt Linux

Debian

Linuxmint

Red Os

Roundcube Webmail

Ubuntu

CVE-2025-49113

Weakness Enumeration

Related Identifiers

Affected Products

References · 286