GHSA-8j8w-wwqc-x596

Source

https://github.com/advisories/GHSA-8j8w-wwqc-x596

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-8j8w-wwqc-x596/GHSA-8j8w-wwqc-x596.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8j8w-wwqc-x596

Aliases

CVE-2025-49113

Published

2025-06-02T06:30:32Z

Modified

2025-06-09T06:30:21Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization

Details

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

Database specific

{
    "nvd_published_at": "2025-06-02T05:15:53Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-06T22:17:35Z"
}

References

Affected packages

Packagist / roundcube/roundcubemail

Package

Name: roundcube/roundcubemail
Purl: pkg:composer/roundcube/roundcubemail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

{
    "last_known_affected_version_range": "< 1.5.10"
}

Packagist / roundcube/roundcubemail

Package

Name: roundcube/roundcubemail
Purl: pkg:composer/roundcube/roundcubemail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.6.0

Database specific

{
    "last_known_affected_version_range": "< 1.6.11"
}