CVE-2025-49113

CRITICAL Actively Exploited

roundcubemail: Remote Code Execution in Roundcube via Unvalidated _from Parameter

CVSS v3

9.9

CRITICAL

EPSS Score

90.4%

exploit probability

CISA KEV

No

known exploited

Exploitation

active

SSVC status

Description

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

Technical Details

CVSS v3 Vector
3.1
Published
6/2/2025
Last Modified
2/23/2026
Exploit-DB
EDB-52324

Frequently Asked Questions

What is CVE-2025-49113?

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

Is CVE-2025-49113 actively exploited?

Yes. CVE-2025-49113 has been observed in active exploitation according to SSVC analysis.

What is the CVSS score for CVE-2025-49113?

CVE-2025-49113 has a CVSS v3 base score of 9.9 (CRITICAL severity), with vector string 3.1.

Is CVE-2025-49113 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.

Check an IPSearch CVEs
Back to CVE Database