CVE-2025-49113

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-49113
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49113.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-49113
Aliases
Downstream
Related
Published
2025-06-02T05:15:53.420Z
Modified
2026-02-20T07:42:01.241149Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

References

Affected packages

Git / github.com/roundcube/roundcubemail

Affected ranges

Type
GIT
Repo
https://github.com/roundcube/roundcubemail
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
0376f69e958a8fef7f6f09e352c541b4e7729c4d
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
2ae7cec1ca7086a93500f05b3810f2cc9a16990f
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
7408f31379666124a39f9cb1018f62bc5e2dc695
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
87380372b6d94f9c90bff2402b76aa71351193e1
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
c50a07d88ca38f018a0f4a0b008e9a1deb32637e
Introduced
993b888afe29c383bf45c84f17090f4db96367ba
Fixed
2ae7cec1ca7086a93500f05b3810f2cc9a16990f

Affected versions

1.*
1.6.0
1.6.1
1.6.10
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49113.json"