Home
Packages
Forums
Wiki
GitLab
Security
AUR
Download

issues
advisories
todo
stats
log
login

CVE-2025-49113 - log back

CVE-2025-49113 edited at 03 Jun 2025 00:53:20

References

	https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
	https://www.cve.org/CVERecord?id=CVE-2025-49113
+	https://www.openwall.com/lists/oss-security/2025/06/02/3
+	https://github.com/roundcube/roundcubemail/pull/9865

CVE-2025-49113 created at 03 Jun 2025 00:49:35

Severity

+

Critical

Remote

+

Remote

Type

+	Arbitrary code execution

Description

+	Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

References

+	https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
+	https://www.cve.org/CVERecord?id=CVE-2025-49113

Notes