{"id":"CVE-2025-49113","details":"Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.","aliases":["GHSA-8j8w-wwqc-x596"],"modified":"2026-04-16T04:44:11.951453388Z","published":"2025-06-02T05:15:53.420Z","references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49113"},{"type":"ADVISORY","url":"https://fearsoff.org/research/roundcube"},{"type":"ADVISORY","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.6.11"},{"type":"ADVISORY","url":"https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2025/06/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.5.10"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2025/06/02/3"},{"type":"REPORT","url":"https://github.com/roundcube/roundcubemail/pull/9865"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e"},{"type":"EVIDENCE","url":"https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-mitigation-script"},{"type":"EVIDENCE","url":"https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-vulnerability-detection"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/roundcube/roundcubemail","events":[{"introduced":"0"},{"fixed":"87380372b6d94f9c90bff2402b76aa71351193e1"},{"introduced":"993b888afe29c383bf45c84f17090f4db96367ba"},{"fixed":"2ae7cec1ca7086a93500f05b3810f2cc9a16990f"},{"fixed":"0376f69e958a8fef7f6f09e352c541b4e7729c4d"},{"fixed":"7408f31379666124a39f9cb1018f62bc5e2dc695"},{"fixed":"c50a07d88ca38f018a0f4a0b008e9a1deb32637e"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.5.10"},{"introduced":"1.6.0"},{"fixed":"1.6.11"}]}}],"versions":["1.1-beta","1.1-rc","1.1.0","1.2-beta","1.2-rc","1.3-beta","1.4-beta","1.4-rc1","1.4-rc2","1.5-beta","1.5-rc","1.5.0","1.5.1","1.5.2","1.5.3","1.5.4","1.5.5","1.5.6","1.5.7","1.5.8","1.5.9","1.6.0","1.6.1","1.6.10","1.6.2","1.6.3","1.6.4","1.6.5","1.6.6","1.6.7","1.6.8","1.6.9","v0.1-beta2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49113.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"11.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}