VYPR
Critical severityCISA KEVNVD Advisory· Published Jun 2, 2025· Updated Feb 21, 2026

CVE-2025-49113

CVE-2025-49113

Description

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
roundcube/roundcubemailPackagist
< 1.5.101.5.10
roundcube/roundcubemailPackagist
>= 1.6.0, < 1.6.111.6.11

Affected products

2

Patches

Vulnerability mechanics

References

15

News mentions

1