CVE-2025-49113 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.9 CRITICAL	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
mitre	CNA	9.9 CRITICAL				CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 67%

Debian Releases

Debian Product

Codename

roundcube

bullseye (security)	vulnerable
bullseye	vulnerable
bookworm	vulnerable
bookworm (security)	1.6.5+dfsg-1+deb12u5 fixed
trixie	vulnerable
sid	1.6.11+dfsg-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

roundcube

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

Common Weakness Enumeration

CWE-502 - Deserialization of Untrusted Data
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Vulnerability Media Exposure

[GERMAN] Roundcube: Schwachstelle ermöglicht Codeausführung
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Roundcube ausnutzen, um beliebigen Programmcode auszuführen.
Published: 2025-06-01T22:00:00+00:00
[GERMAN] Angreifer können Roundcube Webmail mit Schadcode attackieren
Es sind wichtige Sicherheitsupdates für Roundcube Webmail erschienen. Noch gibt es keine Berichte zu Attacken.
Published: 2025-06-03T12:20:00+00:00
[ENGLISH] Critical 10-Year-Old Roundcube Webmail Bug Allows Authenticated Users Run Malicious Code
Cybersecurity researchers have disclosed details of a critical security flaw in the Roundcube webmail software that has gone unnoticed for a decade and could be exploited to take over susceptible systems and execute arbitrary code. The vulnerability, tracked as CVE-2025-49113, carries a CVSS score of 9.9 out of 10.0. It has been described as a case of post-authenticated remote code execution via
Published: 2025-06-03T18:31:00+05:30

References

https://fearsoff.org/research/roundcube

https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d

https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695

https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e

https://github.com/roundcube/roundcubemail/pull/9865

https://github.com/roundcube/roundcubemail/releases/tag/1.5.10

https://github.com/roundcube/roundcubemail/releases/tag/1.6.11

https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10

http://www.openwall.com/lists/oss-security/2025/06/02/3