Critical Severity Vulnerability
This vulnerability has been rated as Critical severity. Immediate action is recommended.
CVE-2025-49113
Critical
Low
Medium
High
Critical
9.9
CVSS Score
Published: Jun 02, 2025
Last Modified: Dec 22, 2025
Vulnerability Description
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
N
Attack Complexity
L
Privileges Required
L
User Interaction
N
Scope
C
Confidentiality
H
Integrity
H
Availability
H
Known Affected Software
137 configuration(s) from 2 vendor(s)
debian_linux
Version:
11.0
CPE:
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
webmail
Version:
1.3.5
CPE:
cpe:2.3:a:roundcube:webmail:1.3.5:*:*:*:*:*:*:*
webmail
Version:
0.1
CPE:
cpe:2.3:a:roundcube:webmail:0.1:-:*:*:*:*:*:*
webmail
Version:
0.8.6
CPE:
cpe:2.3:a:roundcube:webmail:0.8.6:*:*:*:*:*:*:*
webmail
Version:
1.3.8
CPE:
cpe:2.3:a:roundcube:webmail:1.3.8:*:*:*:*:*:*:*
webmail
Version:
1.5.2
CPE:
cpe:2.3:a:roundcube:webmail:1.5.2:*:*:*:*:*:*:*
webmail
Version:
0.7.3
CPE:
cpe:2.3:a:roundcube:webmail:0.7.3:*:*:*:*:*:*:*
webmail
Version:
1.4.13
CPE:
cpe:2.3:a:roundcube:webmail:1.4.13:*:*:*:*:*:*:*
webmail
Version:
1.3.14
CPE:
cpe:2.3:a:roundcube:webmail:1.3.14:*:*:*:*:*:*:*
webmail
Version:
1.0.9
CPE:
cpe:2.3:a:roundcube:webmail:1.0.9:*:*:*:*:*:*:*
webmail
Version:
1.3.16
CPE:
cpe:2.3:a:roundcube:webmail:1.3.16:*:*:*:*:*:*:*
webmail
Version:
1.4.9
CPE:
cpe:2.3:a:roundcube:webmail:1.4.9:*:*:*:*:*:*:*
webmail
Version:
1.6.7
CPE:
cpe:2.3:a:roundcube:webmail:1.6.7:*:*:*:*:*:*:*
webmail
Version:
1.0.4
CPE:
cpe:2.3:a:roundcube:webmail:1.0.4:*:*:*:*:*:*:*
webmail
Version:
1.0.12
CPE:
cpe:2.3:a:roundcube:webmail:1.0.12:*:*:*:*:*:*:*
webmail
Version:
1.4.4
CPE:
cpe:2.3:a:roundcube:webmail:1.4.4:*:*:*:*:*:*:*
webmail
Version:
1.4.12
CPE:
cpe:2.3:a:roundcube:webmail:1.4.12:*:*:*:*:*:*:*
webmail
Version:
1.4.8
CPE:
cpe:2.3:a:roundcube:webmail:1.4.8:*:*:*:*:*:*:*
webmail
Version:
0.2.1
CPE:
cpe:2.3:a:roundcube:webmail:0.2.1:*:*:*:*:*:*:*
webmail
Version:
1.0.6
CPE:
cpe:2.3:a:roundcube:webmail:1.0.6:*:*:*:*:*:*:*
webmail
Version:
0.8.4
CPE:
cpe:2.3:a:roundcube:webmail:0.8.4:*:*:*:*:*:*:*
webmail
Version:
1.6.4
CPE:
cpe:2.3:a:roundcube:webmail:1.6.4:*:*:*:*:*:*:*
webmail
Version:
1.6.5
CPE:
cpe:2.3:a:roundcube:webmail:1.6.5:*:*:*:*:*:*:*
webmail
Version:
1.2.2
CPE:
cpe:2.3:a:roundcube:webmail:1.2.2:*:*:*:*:*:*:*
webmail
Version:
1.6.6
CPE:
cpe:2.3:a:roundcube:webmail:1.6.6:*:*:*:*:*:*:*
webmail
Version:
1.6.1
CPE:
cpe:2.3:a:roundcube:webmail:1.6.1:*:*:*:*:*:*:*
webmail
Version:
1.3.9
CPE:
cpe:2.3:a:roundcube:webmail:1.3.9:*:*:*:*:*:*:*
webmail
Version:
1.1
CPE:
cpe:2.3:a:roundcube:webmail:1.1:-:*:*:*:*:*:*
webmail
Version:
1.3.0
CPE:
cpe:2.3:a:roundcube:webmail:1.3.0:-:*:*:*:*:*:*
webmail
Version:
0.9.1
CPE:
cpe:2.3:a:roundcube:webmail:0.9.1:*:*:*:*:*:*:*
webmail
Version:
0.9
CPE:
cpe:2.3:a:roundcube:webmail:0.9:beta:*:*:*:*:*:*
webmail
Version:
0.9.2
CPE:
cpe:2.3:a:roundcube:webmail:0.9.2:*:*:*:*:*:*:*
webmail
Version:
1.1.7
CPE:
cpe:2.3:a:roundcube:webmail:1.1.7:*:*:*:*:*:*:*
webmail
Version:
0.3.1
CPE:
cpe:2.3:a:roundcube:webmail:0.3.1:*:*:*:*:*:*:*
webmail
Version:
1.2.0
CPE:
cpe:2.3:a:roundcube:webmail:1.2.0:-:*:*:*:*:*:*
webmail
Version:
1.3.1
CPE:
cpe:2.3:a:roundcube:webmail:1.3.1:*:*:*:*:*:*:*
webmail
Version:
0.7.1
CPE:
cpe:2.3:a:roundcube:webmail:0.7.1:*:*:*:*:*:*:*
webmail
Version:
1.5.3
CPE:
cpe:2.3:a:roundcube:webmail:1.5.3:*:*:*:*:*:*:*
webmail
Version:
1.1.6
CPE:
cpe:2.3:a:roundcube:webmail:1.1.6:*:*:*:*:*:*:*
webmail
Version:
0.8.5
CPE:
cpe:2.3:a:roundcube:webmail:0.8.5:*:*:*:*:*:*:*
webmail
Version:
1.3.4
CPE:
cpe:2.3:a:roundcube:webmail:1.3.4:*:*:*:*:*:*:*
webmail
Version:
1.2.9
CPE:
cpe:2.3:a:roundcube:webmail:1.2.9:*:*:*:*:*:*:*
webmail
Version:
1.6.0
CPE:
cpe:2.3:a:roundcube:webmail:1.6.0:-:*:*:*:*:*:*
webmail
Version:
0.7
CPE:
cpe:2.3:a:roundcube:webmail:0.7:-:*:*:*:*:*:*
webmail
Version:
1.3.2
CPE:
cpe:2.3:a:roundcube:webmail:1.3.2:*:*:*:*:*:*:*
webmail
Version:
1.4.0
CPE:
cpe:2.3:a:roundcube:webmail:1.4.0:*:*:*:*:*:*:*
webmail
Version:
0.6
CPE:
cpe:2.3:a:roundcube:webmail:0.6:-:*:*:*:*:*:*
webmail
Version:
1.2.4
CPE:
cpe:2.3:a:roundcube:webmail:1.2.4:*:*:*:*:*:*:*
webmail
Version:
1.4.3
CPE:
cpe:2.3:a:roundcube:webmail:1.4.3:*:*:*:*:*:*:*
webmail
Version:
1.3.13
CPE:
cpe:2.3:a:roundcube:webmail:1.3.13:*:*:*:*:*:*:*
webmail
Version:
1.2.12
CPE:
cpe:2.3:a:roundcube:webmail:1.2.12:*:*:*:*:*:*:*
webmail
Version:
1.6.8
CPE:
cpe:2.3:a:roundcube:webmail:1.6.8:*:*:*:*:*:*:*
webmail
Version:
1.0.10
CPE:
cpe:2.3:a:roundcube:webmail:1.0.10:*:*:*:*:*:*:*
webmail
Version:
1.2.11
CPE:
cpe:2.3:a:roundcube:webmail:1.2.11:*:*:*:*:*:*:*
webmail
Version:
0.5.3
CPE:
cpe:2.3:a:roundcube:webmail:0.5.3:*:*:*:*:*:*:*
webmail
Version:
1.0.1
CPE:
cpe:2.3:a:roundcube:webmail:1.0.1:*:*:*:*:*:*:*
webmail
Version:
1.4.14
CPE:
cpe:2.3:a:roundcube:webmail:1.4.14:*:*:*:*:*:*:*
webmail
Version:
1.4
CPE:
cpe:2.3:a:roundcube:webmail:1.4:-:*:*:*:*:*:*
webmail
Version:
1.2.3
CPE:
cpe:2.3:a:roundcube:webmail:1.2.3:*:*:*:*:*:*:*
webmail
Version:
1.2.1
CPE:
cpe:2.3:a:roundcube:webmail:1.2.1:*:*:*:*:*:*:*
webmail
Version:
1.1.9
CPE:
cpe:2.3:a:roundcube:webmail:1.1.9:*:*:*:*:*:*:*
webmail
Version:
1.4.5
CPE:
cpe:2.3:a:roundcube:webmail:1.4.5:*:*:*:*:*:*:*
webmail
Version:
0.4.1
CPE:
cpe:2.3:a:roundcube:webmail:0.4.1:*:*:*:*:*:*:*
webmail
Version:
1.6.10
CPE:
cpe:2.3:a:roundcube:webmail:1.6.10:*:*:*:*:*:*:*
webmail
Version:
0.5.1
CPE:
cpe:2.3:a:roundcube:webmail:0.5.1:*:*:*:*:*:*:*
webmail
Version:
1.1.12
CPE:
cpe:2.3:a:roundcube:webmail:1.1.12:*:*:*:*:*:*:*
webmail
Version:
1.4.6
CPE:
cpe:2.3:a:roundcube:webmail:1.4.6:*:*:*:*:*:*:*
webmail
Version:
1.5.0
CPE:
cpe:2.3:a:roundcube:webmail:1.5.0:-:*:*:*:*:*:*
webmail
Version:
1.5.4
CPE:
cpe:2.3:a:roundcube:webmail:1.5.4:*:*:*:*:*:*:*
webmail
Version:
1.2
CPE:
cpe:2.3:a:roundcube:webmail:1.2:beta:*:*:*:*:*:*
webmail
Version:
0.7.2
CPE:
cpe:2.3:a:roundcube:webmail:0.7.2:*:*:*:*:*:*:*
webmail
Version:
1.1.4
CPE:
cpe:2.3:a:roundcube:webmail:1.1.4:*:*:*:*:*:*:*
webmail
Version:
1.0.2
CPE:
cpe:2.3:a:roundcube:webmail:1.0.2:*:*:*:*:*:*:*
webmail
Version:
1.3.6
CPE:
cpe:2.3:a:roundcube:webmail:1.3.6:*:*:*:*:*:*:*
webmail
Version:
1.0
CPE:
cpe:2.3:a:roundcube:webmail:1.0:beta:*:*:*:*:*:*
webmail
Version:
0.5.2
CPE:
cpe:2.3:a:roundcube:webmail:0.5.2:*:*:*:*:*:*:*
webmail
Version:
1.5.5
CPE:
cpe:2.3:a:roundcube:webmail:1.5.5:*:*:*:*:*:*:*
webmail
Version:
0.2.2
CPE:
cpe:2.3:a:roundcube:webmail:0.2.2:*:*:*:*:*:*:*
webmail
Version:
1.3.17
CPE:
cpe:2.3:a:roundcube:webmail:1.3.17:*:*:*:*:*:*:*
webmail
Version:
0.3
CPE:
cpe:2.3:a:roundcube:webmail:0.3:-:*:*:*:*:*:*
webmail
Version:
1.2.8
CPE:
cpe:2.3:a:roundcube:webmail:1.2.8:*:*:*:*:*:*:*
webmail
Version:
1.3.7
CPE:
cpe:2.3:a:roundcube:webmail:1.3.7:*:*:*:*:*:*:*
webmail
Version:
0.8.1
CPE:
cpe:2.3:a:roundcube:webmail:0.8.1:*:*:*:*:*:*:*
webmail
Version:
1.6.2
CPE:
cpe:2.3:a:roundcube:webmail:1.6.2:*:*:*:*:*:*:*
webmail
Version:
1.4.1
CPE:
cpe:2.3:a:roundcube:webmail:1.4.1:*:*:*:*:*:*:*
webmail
Version:
1.4.15
CPE:
cpe:2.3:a:roundcube:webmail:1.4.15:*:*:*:*:*:*:*
webmail
Version:
1.2.10
CPE:
cpe:2.3:a:roundcube:webmail:1.2.10:*:*:*:*:*:*:*
webmail
Version:
1.5.8
CPE:
cpe:2.3:a:roundcube:webmail:1.5.8:*:*:*:*:*:*:*
webmail
Version:
1.3.10
CPE:
cpe:2.3:a:roundcube:webmail:1.3.10:*:*:*:*:*:*:*
webmail
Version:
1.1.3
CPE:
cpe:2.3:a:roundcube:webmail:1.1.3:*:*:*:*:*:*:*
webmail
Version:
1.3.11
CPE:
cpe:2.3:a:roundcube:webmail:1.3.11:*:*:*:*:*:*:*
webmail
Version:
1.1.8
CPE:
cpe:2.3:a:roundcube:webmail:1.1.8:*:*:*:*:*:*:*
webmail
Version:
1.3
CPE:
cpe:2.3:a:roundcube:webmail:1.3:beta:*:*:*:*:*:*
webmail
Version:
0.4.2
CPE:
cpe:2.3:a:roundcube:webmail:0.4.2:*:*:*:*:*:*:*
webmail
Version:
1.2.7
CPE:
cpe:2.3:a:roundcube:webmail:1.2.7:*:*:*:*:*:*:*
webmail
Version:
1.4.2
CPE:
cpe:2.3:a:roundcube:webmail:1.4.2:*:*:*:*:*:*:*
webmail
Version:
1.1.2
CPE:
cpe:2.3:a:roundcube:webmail:1.1.2:*:*:*:*:*:*:*
webmail
Version:
0.9.5
CPE:
cpe:2.3:a:roundcube:webmail:0.9.5:*:*:*:*:*:*:*
webmail
Version:
0.7.4
CPE:
cpe:2.3:a:roundcube:webmail:0.7.4:*:*:*:*:*:*:*
webmail
Version:
1.0.5
CPE:
cpe:2.3:a:roundcube:webmail:1.0.5:*:*:*:*:*:*:*
webmail
Version:
1.5.7
CPE:
cpe:2.3:a:roundcube:webmail:1.5.7:*:*:*:*:*:*:*
webmail
Version:
1.3.3
CPE:
cpe:2.3:a:roundcube:webmail:1.3.3:*:*:*:*:*:*:*
webmail
Version:
1.5.9
CPE:
cpe:2.3:a:roundcube:webmail:1.5.9:*:*:*:*:*:*:*
webmail
Version:
1.3.15
CPE:
cpe:2.3:a:roundcube:webmail:1.3.15:*:*:*:*:*:*:*
webmail
Version:
1.4.7
CPE:
cpe:2.3:a:roundcube:webmail:1.4.7:*:*:*:*:*:*:*
webmail
Version:
1.2.6
CPE:
cpe:2.3:a:roundcube:webmail:1.2.6:*:*:*:*:*:*:*
webmail
Version:
1.2.13
CPE:
cpe:2.3:a:roundcube:webmail:1.2.13:*:*:*:*:*:*:*
webmail
Version:
1.3.12
CPE:
cpe:2.3:a:roundcube:webmail:1.3.12:*:*:*:*:*:*:*
webmail
Version:
0.9.0
CPE:
cpe:2.3:a:roundcube:webmail:0.9.0:beta:*:*:*:*:*:*
webmail
Version:
1.1.0
CPE:
cpe:2.3:a:roundcube:webmail:1.1.0:-:*:*:*:*:*:*
webmail
Version:
1.2.5
CPE:
cpe:2.3:a:roundcube:webmail:1.2.5:*:*:*:*:*:*:*
webmail
Version:
1.1.10
CPE:
cpe:2.3:a:roundcube:webmail:1.1.10:*:*:*:*:*:*:*
webmail
Version:
0.2
CPE:
cpe:2.3:a:roundcube:webmail:0.2:-:*:*:*:*:*:*
webmail
Version:
0.9.3
CPE:
cpe:2.3:a:roundcube:webmail:0.9.3:*:*:*:*:*:*:*
webmail
Version:
1.6.3
CPE:
cpe:2.3:a:roundcube:webmail:1.6.3:*:*:*:*:*:*:*
webmail
Version:
1.0.0
CPE:
cpe:2.3:a:roundcube:webmail:1.0.0:-:*:*:*:*:*:*
webmail
Version:
1.1.1
CPE:
cpe:2.3:a:roundcube:webmail:1.1.1:*:*:*:*:*:*:*
webmail
Version:
1.0.11
CPE:
cpe:2.3:a:roundcube:webmail:1.0.11:*:*:*:*:*:*:*
webmail
Version:
0.8.7
CPE:
cpe:2.3:a:roundcube:webmail:0.8.7:*:*:*:*:*:*:*
webmail
Version:
0.8.0
CPE:
cpe:2.3:a:roundcube:webmail:0.8.0:-:*:*:*:*:*:*
webmail
Version:
0.8.3
CPE:
cpe:2.3:a:roundcube:webmail:0.8.3:*:*:*:*:*:*:*
webmail
Version:
1.1.11
CPE:
cpe:2.3:a:roundcube:webmail:1.1.11:*:*:*:*:*:*:*
webmail
Version:
1.6.9
CPE:
cpe:2.3:a:roundcube:webmail:1.6.9:*:*:*:*:*:*:*
webmail
Version:
1.5.6
CPE:
cpe:2.3:a:roundcube:webmail:1.5.6:*:*:*:*:*:*:*
webmail
Version:
1.5.1
CPE:
cpe:2.3:a:roundcube:webmail:1.5.1:*:*:*:*:*:*:*
webmail
Version:
0.4
CPE:
cpe:2.3:a:roundcube:webmail:0.4:-:*:*:*:*:*:*
webmail
Version:
1.4.10
CPE:
cpe:2.3:a:roundcube:webmail:1.4.10:*:*:*:*:*:*:*
webmail
Version:
1.0.8
CPE:
cpe:2.3:a:roundcube:webmail:1.0.8:*:*:*:*:*:*:*
webmail
Version:
1.0.3
CPE:
cpe:2.3:a:roundcube:webmail:1.0.3:*:*:*:*:*:*:*
webmail
Version:
0.1.1
CPE:
cpe:2.3:a:roundcube:webmail:0.1.1:*:*:*:*:*:*:*
webmail
Version:
0.8.2
CPE:
cpe:2.3:a:roundcube:webmail:0.8.2:*:*:*:*:*:*:*
webmail
Version:
0.5
CPE:
cpe:2.3:a:roundcube:webmail:0.5:-:*:*:*:*:*:*
webmail
Version:
1.0.7
CPE:
cpe:2.3:a:roundcube:webmail:1.0.7:*:*:*:*:*:*:*
webmail
Version:
1.1.5
CPE:
cpe:2.3:a:roundcube:webmail:1.1.5:*:*:*:*:*:*:*
webmail
Version:
0.5.4
CPE:
cpe:2.3:a:roundcube:webmail:0.5.4:*:*:*:*:*:*:*
webmail
Version:
0.9.4
CPE:
cpe:2.3:a:roundcube:webmail:0.9.4:*:*:*:*:*:*:*
webmail
Version:
1.4.11
CPE:
cpe:2.3:a:roundcube:webmail:1.4.11:*:*:*:*:*:*:*
This vulnerability affects 137 software configuration(s). Ensure you patch all affected systems.
SUSE
CVE-2025-49113
CVE-2025-49113
Severity
Unknown
Released
Jun 02, 2025
Security Update
References & Resources
-
https://fearsoff.org/research/roundcubecve@mitre.org Third Party Advisory
-
https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4dcve@mitre.org Patch
-
https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695cve@mitre.org Patch
-
https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637ecve@mitre.org Patch
-
https://github.com/roundcube/roundcubemail/pull/9865cve@mitre.org Issue Tracking
-
https://github.com/roundcube/roundcubemail/releases/tag/1.5.10cve@mitre.org Release Notes
-
https://github.com/roundcube/roundcubemail/releases/tag/1.6.11cve@mitre.org Release Notes
-
https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10cve@mitre.org Vendor Advisory
-
https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-mitigation-scriptcve@mitre.org Exploit Mitigation Third Party Advisory
-
https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-vulnerability-detectioncve@mitre.org Exploit Mitigation Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2025/06/02/3af854a3a-2127-422b-91ae-364da2661108 Mailing List Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2025/06/msg00008.htmlaf854a3a-2127-422b-91ae-364da2661108 Mailing List Third Party Advisory
Severity Details
9.9
out of 10.0
Critical
Key Information
- Published Date
- June 02, 2025
