Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
AnalysisAI
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows authenticated users to achieve remote code execution through a crafted upload URL. With EPSS 90.4% and KEV listing, this vulnerability in one of the most widely deployed open-source webmail platforms enables any email user to compromise the mail server, accessing all hosted mailboxes.
Technical ContextAI
The vulnerability exists in program/actions/settings/upload.php where the _from parameter from the URL is not validated before use. An authenticated user can inject a crafted value that triggers PHP's unserialize() on attacker-controlled data. Using POP (Property Oriented Programming) gadget chains available in Roundcube's codebase or dependencies, the attacker achieves arbitrary PHP code execution. Roundcube is one of the most deployed webmail solutions, used by hosting providers, enterprises, and government organizations.
RemediationAI
Upgrade Roundcube to 1.5.10+ or 1.6.11+ immediately. This is emergency priority given the 90% EPSS. If unable to patch, restrict access to the upload endpoint. Audit mail server for signs of compromise. Review recently sent emails for unauthorized access indicators.
Same weakness CWE-502 – Deserialization of Untrusted Data
View allVendor StatusVendor
Ubuntu
Priority: High| Release | Status | Version |
|---|---|---|
| upstream | released | 1.6.11+dfsg-1 |
| bionic | released | 1.3.6+dfsg.1-1ubuntu0.1~esm5 |
| focal | released | 1.4.3+dfsg.1-1ubuntu0.1~esm5 |
| jammy | released | 1.5.0+dfsg.1-2ubuntu0.1~esm4 |
| noble | released | 1.6.6+dfsg-2ubuntu0.1 |
| oracular | released | 1.6.8+dfsg-2ubuntu0.1 |
| plucky | released | 1.6.10+dfsg-1ubuntu0.1 |
| xenial | released | 1.2~beta+dfsg.1-0ubuntu1+esm6 |
| questing | not-affected | 1.6.11+dfsg-1 |
Debian
Bug #1107073| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 1.4.15+dfsg.1-1+deb11u5 | - |
| bullseye (security) | fixed | 1.4.15+dfsg.1-1+deb11u7 | - |
| bookworm | fixed | 1.6.5+dfsg-1+deb12u5 | - |
| bookworm (security) | fixed | 1.6.5+dfsg-1+deb12u7 | - |
| trixie (security), trixie | fixed | 1.6.13+dfsg-0+deb13u1 | - |
| forky, sid | fixed | 1.6.13+dfsg-1 | - |
| (unstable) | fixed | 1.6.11+dfsg-1 | - |
SUSE
Severity: CriticalShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-16605
GHSA-8j8w-wwqc-x596