← back
CVE-2025-49113

CVE-2025-49113

CVSS 9.9 CRITICALEPSS 89.5%● KEVCWE-502
In short

Roundcube Webmail has a security flaw that allows logged-in users to run harmful code on the server by sending a specially crafted request. This happens because the application doesn't check the _from URL parameter properly before processing it.

Technical detail

The vulnerability exists in program/actions/settings/upload.php where the _from parameter undergoes unsafe PHP object deserialization without validation. An authenticated attacker can exploit this to achieve remote code execution by crafting a malicious serialized object payload. This affects Roundcube versions before 1.5.10 and 1.6.x before 1.6.11.

Summary generated and translated by AI from the official description.
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products
Roundcube · Webmail
public PoCs found24
githubgithub.com/fearsoff-org/CVE-2025-49113104githubgithub.com/hakaioffsec/CVE-2025-49113-exploit90githubgithub.com/00xCanelo/CVE-2025-491137githubgithub.com/BiiTts/Roundcube-CVE-2025-491136githubgithub.com/rxerium/CVE-2025-491135githubgithub.com/Zwique/CVE-2025-491134githubgithub.com/Ademking/CVE-2025-49113-nuclei-template3githubgithub.com/rasool13x/exploit-CVE-2025-491133githubgithub.com/SyFi/CVE-2025-491132githubgithub.com/l4f2s4/CVE-2025-49113_exploit_cookies1githubgithub.com/Joelp03/CVE-2025-491131githubgithub.com/rippsec/CVE-2025-49113-Roundcube-RCE0githubgithub.com/CyberQuestor-infosec/CVE-2025-49113-Roundcube_1.6.100githubgithub.com/5kr1pt/Roundcube_CVE-2025-491130githubgithub.com/punitdarji/roundcube-cve-2025-491130githubgithub.com/hackmelocal/CVE-2025-49113-Simulation0githubgithub.com/SteamPunk424/CVE-2025-49113-Roundcube-RCE-PHP0githubgithub.com/AC8999/CVE-2025-491130githubgithub.com/LeakForge/CVE-2025-491130githubgithub.com/Zuack55/Roundcube-1.6.10-Post-Auth-RCE-CVE-2025-49113-0githubgithub.com/ankitpandey383/roundcube-cve-2025-49113-lab0githubgithub.com/Evillm/CVE-2025-49113-PoC0githubgithub.com/mooder1/CVE-2025-491130exploitdbwww.exploit-db.com/exploits/52324unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://fearsoff.org/research/roundcubehttps://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4dhttps://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637ehttps://github.com/roundcube/roundcubemail/pull/9865https://github.com/roundcube/roundcubemail/releases/tag/1.5.10https://github.com/roundcube/roundcubemail/releases/tag/1.6.11https://lists.debian.org/debian-lts-announce/2025/06/msg00008.htmlhttps://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49113https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-mitigation-scripthttps://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-vulnerability-detection