VDB

DEBIAN-CVE-2025-49113

DEBIAN-CVE-2025-49113 PUBLISHED CVSS 8.800000190734863 HIGH

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

Risk Scores

CVSS 3.1
8.800000190734863
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
Debian:13roundcube0, 0
Debian:14roundcube0
Debian:12roundcube1.6.2+dfsg-1, 1.6.3+dfsg-1, 1.6.3+dfsg-1~deb12u1
Debian:11roundcube0, 1.4.11+dfsg.1-4, 1.4.12+dfsg.1-1~bpo10+1

Timeline

  • Jun 2, 2025 CVE Published
  • May 10, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›