What is the CVSS score of CVE-2025-49113?

CVE-2025-49113 has a CVSS 3.1 base score of 9.9 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 90.4%.

Which versions of PHP are affected by CVE-2025-49113?

Roundcube Webmail installations are vulnerable to remote code execution attacks by authenticated users, with active exploitation confirmed in the wild.. A patch is available.

Is there a public PoC exploit available for CVE-2025-49113?

Yes, a public proof-of-concept exploit is available for CVE-2025-49113. Prioritise patching immediately. EPSS: 90.4%.

How to fix or mitigate CVE-2025-49113?

Within 24 hours: Identify all Roundcube instances and their versions; restrict access to Roundcube to essential users only. Within 7 days: Apply patches (upgrade to 1.5.10 or 1.6.11+) to all affected systems; verify patches are successful. Within 30 days: Conduct forensic review of logs for signs of exploitation; reset credentials for accounts that accessed Roundcube during the vulnerability window.

PHP CVE-2025-49113

EUVD-2025-16605 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2025-06-02 cve@mitre.org

GHSA-8j8w-wwqc-x596

PHP Authentication Bypass RCE Deserialization Red Hat Roundcube Debian Linux Webmail Suse

9.9

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 16:47 euvd

EUVD-2025-16605

Analysis Generated

Mar 14, 2026 - 16:47 vuln.today

Patch released

Mar 14, 2026 - 16:47 nvd

Patch available

Added to CISA KEV

Feb 23, 2026 - 13:24 cisa

CISA KEV

PoC Detected

Feb 23, 2026 - 13:24 vuln.today

Public exploit code

CVE Published

Jun 02, 2025 - 05:15 nvd

CRITICAL 9.9

DescriptionNVD

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

AnalysisAI

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows authenticated users to achieve remote code execution through a crafted upload URL. With EPSS 90.4% and KEV listing, this vulnerability in one of the most widely deployed open-source webmail platforms enables any email user to compromise the mail server, accessing all hosted mailboxes.

Technical ContextAI

The vulnerability exists in program/actions/settings/upload.php where the _from parameter from the URL is not validated before use. An authenticated user can inject a crafted value that triggers PHP's unserialize() on attacker-controlled data. Using POP (Property Oriented Programming) gadget chains available in Roundcube's codebase or dependencies, the attacker achieves arbitrary PHP code execution. Roundcube is one of the most deployed webmail solutions, used by hosting providers, enterprises, and government organizations.

RemediationAI

Upgrade Roundcube to 1.5.10+ or 1.6.11+ immediately. This is emergency priority given the 90% EPSS. If unable to patch, restrict access to the upload endpoint. Audit mail server for signs of compromise. Review recently sent emails for unauthorized access indicators.

More from same product – last 7 days

CVE-2026-44050 CRITICAL Act Now

9.9 May 21

Heap buffer overflow in the Netatalk cnid_metad daemon's comm_rcv() function allows remote attackers with low-level priv

CVE-2026-44048 HIGH This Week

8.8 May 21

Stack-based buffer overflow in Netatalk versions 2.0.4 through 4.4.2 allows authenticated remote attackers to corrupt me

CVE-2026-44047 HIGH This Week

8.8 May 21

SQL injection in Netatalk 3.1.0 through 4.4.2 allows authenticated remote attackers to compromise the MySQL-backed CNID

CVE-2026-44051 HIGH This Week

8.1 May 21

Arbitrary file read in Netatalk 3.0.2 through 4.4.2 allows authenticated remote attackers to create attacker-controlled

CVE-2026-9277 HIGH This Week

8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr

Vendor StatusVendor

Ubuntu

Priority: High

roundcube

Release	Status	Version
upstream	released	1.6.11+dfsg-1
bionic	released	1.3.6+dfsg.1-1ubuntu0.1~esm5
focal	released	1.4.3+dfsg.1-1ubuntu0.1~esm5
jammy	released	1.5.0+dfsg.1-2ubuntu0.1~esm4
noble	released	1.6.6+dfsg-2ubuntu0.1
oracular	released	1.6.8+dfsg-2ubuntu0.1
plucky	released	1.6.10+dfsg-1ubuntu0.1
xenial	released	1.2~beta+dfsg.1-0ubuntu1+esm6
questing	not-affected	1.6.11+dfsg-1

USN-7584-1

Debian

Bug #1107073

roundcube

Release	Status	Fixed Version	Urgency
bullseye	fixed	1.4.15+dfsg.1-1+deb11u5	-
bullseye (security)	fixed	1.4.15+dfsg.1-1+deb11u7	-
bookworm	fixed	1.6.5+dfsg-1+deb12u5	-
bookworm (security)	fixed	1.6.5+dfsg-1+deb12u7	-
trixie (security), trixie	fixed	1.6.13+dfsg-0+deb13u1	-
forky, sid	fixed	1.6.13+dfsg-1	-
(unstable)	fixed	1.6.11+dfsg-1	-

DLA-4211-1 DSA-5934-1

CVE-2025-49113 vulnerability details – vuln.today

Back

PHP CVE-2025-49113

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

Ubuntu

Debian

Share

External POC / Exploit Code