CVE-2025-49113

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

References

Affected packages

Git / github.com/roundcube/roundcubemail

Affected ranges

Type

GIT

Repo

https://github.com/roundcube/roundcubemail

Events

Introduced

Fixed

87380372b6d94f9c90bff2402b76aa71351193e1

Introduced

993b888afe29c383bf45c84f17090f4db96367ba

Fixed

2ae7cec1ca7086a93500f05b3810f2cc9a16990f

Fixed

0376f69e958a8fef7f6f09e352c541b4e7729c4d

Fixed

7408f31379666124a39f9cb1018f62bc5e2dc695

Fixed

c50a07d88ca38f018a0f4a0b008e9a1deb32637e

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.5.10"
        },
        {
            "introduced": "1.6.0"
        },
        {
            "fixed": "1.6.11"
        }
    ]
}

Affected versions

1.*

1.1-beta

1.1-rc

1.1.0

1.2-beta

1.2-rc

1.3-beta

1.4-beta

1.4-rc1

1.4-rc2

1.5-beta

1.5-rc

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.8

1.5.9

1.6.0

1.6.1

1.6.10

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

v0.*

v0.1-beta2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49113.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "11.0"
            }
        ]
    }
]