RCE in Roundcube <1.6.11 via Unvalidated _from Param (PHP OD)
CVE-2025-49113 Published on June 2, 2025
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Known Exploited Vulnerability
This RoundCube Webmail Deserialization of Untrusted Data Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php.
The following remediation steps are recommended / required by March 13, 2026: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2025-49113 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2025-49113
stack.watch emails you whenever new vulnerabilities are published in Roundcube or Roundcube Webmail. Just hit a watch button to start following.
Affected Versions
Roundcube Webmail:- Before 1.5.10 is affected.
- Version 1.6.0 and below 1.6.11 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.