CVE-2025-49113

Advisory lineage Upstream: 0 Downstream: 5

Downstream

DEBIAN-CVE-2025-49113 DLA-4211-1 DSA-5934-1 UBUNTU-CVE-2025-49113 USN-7584-1

Analyzed

Published: 02 Jun 2025, 00:00

Last modified:21 Feb 2026, 04:56

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.9 CRITICAL

v3.1 (cve.org)

EPSS Score

90.36% CRITICAL

90% probability -1.47%

KEV

Listed

CISA

1 listing

Ransomware

No reports

Public exploits

4 found

Dark Web

Not detected

Timeline

02 Jun 2025, 00:00

Published

Vulnerability first disclosed

20 Feb 2026, 00:00

Added to CISA KEV

RoundCube Webmail Deserialization of Untrusted Data Vulnerability

21 Feb 2026, 04:56

Last Modified

Vulnerability information updated

13 Mar 2026, 00:00

CISA Remediation Due

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

CVSS Metrics

v3.1•CRITICAL•Score: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
v3.1•HIGH•Score: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 90.36%• Percentile: 100%

Techniques & Countermeasures

CWE-502•Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Systems

debian•debian_linux
11.0
Unknown•Webmail
< 1.5.10 | ≥ 1.6.0, < 1.6.11