Vulnerability intelligence
CVE-2025-49113
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
CVSS Score
9.9
Critical
EPSS — Exploit Probability
95%
Riskier than 100% of all CVEs
Exploitation
Confirmed in the wild
KEV since 2026-02-20
Remediation
Patch available
Federal deadline 2026-03-13
1 article across 1 outlet · first covered Jul 13, 2026 · latest Jul 13, 2026
Tracked incidents
Associated threat actors
Coverage timeline
-
UNK_MassTraction Exploits Roundcube Webmail to Hit University Physics Departmentssecurityonline.info · Jul 13, 2026