Remote Code Execution Vulnerability in Roundcube Webmail by Roundcube
CVE-2025-49113
Key Information:
Badges
What is CVE-2025-49113?
CVE-2025-49113 is a remote code execution vulnerability found in Roundcube Webmail, an open-source webmail software widely used for accessing email through a web interface. This vulnerability arises from the improper validation of the _from parameter in a specific URL related to file uploads. As a result, authenticated users can exploit this flaw to execute arbitrary PHP code on the server, potentially compromising the integrity and security of the webmail application and any data associated with it. Organizations using affected versions of Roundcube Webmail may face severe operational disruptions, data loss, and unauthorized access as a direct consequence of this vulnerability.
Potential impact of CVE-2025-49113
-
Remote Code Execution: The primary impact of CVE-2025-49113 is the ability for authenticated users to execute arbitrary code on the server. This can lead to unauthorized access, modification, or deletion of sensitive data stored within the webmail application.
-
Data Breach and Information Disclosure: Exploitation of this vulnerability can result in significant data breaches, as attackers could gain access to confidential emails, user credentials, and other personal information. This not only jeopardizes user privacy but also exposes organizations to legal and regulatory repercussions.
-
Service Disruption: A successful exploit could allow attackers to disrupt services by manipulating webmail functionalities, potentially leading to downtime or loss of service availability, which can significantly affect organizational productivity and service reliability.
Affected Version(s)
Webmail 0 < 1.5.10
Webmail 1.6.0 < 1.6.11
News Articles

Critical 10-Year-Old Roundcube Webmail Bug Allows Authenticated Users Run Malicious Code
Critical Roundcube bug CVE-2025-49113 affects versions before 1.6.11, enabling code execution via URL flaw.
11 hours ago