All CVEs
Vulnerability intelligence

CVE-2025-49113

CWE-502

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

CVSS Score
9.9
Critical
EPSS — Exploit Probability
95%
Riskier than 100% of all CVEs
Exploitation
Confirmed in the wild
KEV since 2026-02-20
Remediation
Patch available
Federal deadline 2026-03-13
NVD entry Vendor patch PoC / advisory CISA KEV

1 article across 1 outlet · first covered Jul 13, 2026 · latest Jul 13, 2026

Tracked incidents

Associated threat actors

Coverage timeline