VDB
DEBIAN-CVE-2025-49113
DEBIAN-CVE-2025-49113
PUBLISHED
CVSS 8.800000190734863 HIGH
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Risk Scores
CVSS 3.1
8.800000190734863
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:13 | roundcube | 0, 0 |
| Debian:14 | roundcube | 0 |
| Debian:12 | roundcube | 1.6.2+dfsg-1, 1.6.3+dfsg-1, 1.6.3+dfsg-1~deb12u1 |
| Debian:11 | roundcube | 0, 1.4.11+dfsg.1-4, 1.4.12+dfsg.1-1~bpo10+1 |
Exploit Intelligence
- Evillm/CVE-2025-49113-PoC (github-poc-repo)
- Roundcube Webmail post-auth RCE via PHP object deserialization (CVE-2025-49113) (github-poc-repo)
- CVE-2025-49113 – Roundcube ≤1.6.10 post-auth RCE via PHP object deserialization (HackTheBox CTF) (github-poc-repo)
- CVE-2025-49113 – Roundcube ≤1.6.10 post-auth RCE via PHP object deserialization (HackTheBox CTF) (github-poc)
- Roundcube Webmail post-auth RCE via PHP object deserialization (CVE-2025-49113) (github-poc)
- Evillm/CVE-2025-49113-PoC (github-poc)
- Hands-on exploitation lab for Roundcube Webmail CVE-2025-49113 (authenticated PHP object deserialization → RCE) to read /secret.txt. (github-poc)
- CVE-2025-49113 - Roundcube Remote Code Execution (github-poc)
- Zuack55/Roundcube-1.6.10-Post-Auth-RCE-CVE-2025-49113- (github-poc)
- Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization (github-poc)
…and 39 more exploits
Timeline
- Jun 2, 2025 CVE Published
- May 10, 2026 CVE Updated