CVE-2025-49113

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-49113
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49113.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-49113
Aliases
Related
Published
2025-06-02T05:15:53Z
Modified
2025-06-09T04:49:13.544647Z
Downstream
Summary
[none]
Details

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

References

Affected packages

Debian:11 / roundcube

Package

Name
roundcube
Purl
pkg:deb/debian/roundcube?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.15+dfsg.1-1+deb11u5

Affected versions

1.*

1.4.11+dfsg.1-4
1.4.12+dfsg.1-1~bpo10+1
1.4.12+dfsg.1-1~deb11u1
1.4.13+dfsg.1-1~deb11u1~bpo10+1
1.4.13+dfsg.1-1~deb11u1
1.4.14+dfsg.1-1~deb11u1~bpo10+1
1.4.14+dfsg.1-1~deb11u1
1.4.15+dfsg.1-1~deb11u1~bpo10+1
1.4.15+dfsg.1-1~deb11u1
1.4.15+dfsg.1-1~deb11u2~bpo10+1
1.4.15+dfsg.1-1~deb11u2
1.4.15+dfsg.1-1+deb11u3
1.4.15+dfsg.1-1+deb11u4

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / roundcube

Package

Name
roundcube
Purl
pkg:deb/debian/roundcube?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.5+dfsg-1+deb12u5

Affected versions

1.*

1.6.1+dfsg-1
1.6.2+dfsg-1
1.6.3+dfsg-1~deb12u1
1.6.3+dfsg-1
1.6.3+dfsg-2
1.6.4+dfsg-1~deb12u1
1.6.4+dfsg-1
1.6.5+dfsg-1~deb12u1
1.6.5+dfsg-1
1.6.5+dfsg-1+deb12u2
1.6.5+dfsg-1+deb12u3
1.6.5+dfsg-1+deb12u4

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / roundcube

Package

Name
roundcube
Purl
pkg:deb/debian/roundcube?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.11+dfsg-1

Affected versions

1.*

1.6.1+dfsg-1
1.6.2+dfsg-1
1.6.3+dfsg-1~deb12u1
1.6.3+dfsg-1
1.6.3+dfsg-2
1.6.4+dfsg-1~deb12u1
1.6.4+dfsg-1
1.6.5+dfsg-1~deb12u1
1.6.5+dfsg-1
1.6.6+dfsg-1
1.6.6+dfsg-2
1.6.7+dfsg-1
1.6.8+dfsg-1
1.6.8+dfsg-2
1.6.9+dfsg-1
1.6.9+dfsg-2
1.6.10+dfsg-1
1.6.10+dfsg-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Git / github.com/roundcube/roundcubemail

Affected ranges

Type
GIT
Repo
https://github.com/roundcube/roundcubemail
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
0376f69e958a8fef7f6f09e352c541b4e7729c4d
Fixed
2ae7cec1ca7086a93500f05b3810f2cc9a16990f
Fixed
7408f31379666124a39f9cb1018f62bc5e2dc695
Fixed
87380372b6d94f9c90bff2402b76aa71351193e1
Fixed
c50a07d88ca38f018a0f4a0b008e9a1deb32637e

Affected versions

1.*

1.1-beta
1.1-rc
1.1.0
1.2-beta
1.2-rc
1.3-beta
1.4-beta
1.4-rc1
1.4-rc2
1.5-beta
1.5-rc
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.5.9
1.6-beta
1.6-rc
1.6.0
1.6.1
1.6.10
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9

v0.*

v0.1-beta2

v1.*

v1.0-beta