CVE-2025-49113HIGH 8.8CISA KEVEPSS p99.8%

CVE-2025-49113RoundCube Webmail Deserialization of Untrusted Data Vulnerability

Roundcube / Webmail

Description

RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS89.16% probability of exploitation · percentile 99.8% · 2026-06-15T12:03:41Z
Published2025-06-02
Last modified2026-02-23

CISA KEV entry

Added to KEV: 2026-02-20

Underlying weaknesses· 1

CWE-502

References

  1. https://fearsoff.org/research/roundcube
  2. https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d
  3. https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695
  4. https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e
  5. https://github.com/roundcube/roundcubemail/pull/9865
  6. https://github.com/roundcube/roundcubemail/releases/tag/1.5.10
  7. https://github.com/roundcube/roundcubemail/releases/tag/1.6.11
  8. https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10

1

TypeTargetConfidenceTier
WeaknessDeserialization of Untrusted Datacwe-5020%live

(incoming)1

TypeTargetConfidenceTier
KEVEntryRoundCube Webmail Deserialization of Untrusted Data Vulnerabilitykev-cve-2025-491130%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
RoundCube Webmail Cross-Site Scripting Vulnerability
CVE
Roundcube Webmail Remote Code Execution Vulnerability
CVE
Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability
CVE
Roundcube Webmail File Disclosure Vulnerability
CVE
CVE-2025-2244
CVE
Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.