CVE-2025-49113 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.9 CRITICAL	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
mitre	CNA	9.9 CRITICAL				CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Affected Products (NVD)

Vendor	Product	Version
roundcube	webmail	𝑥 < 1.5.10
roundcube	webmail	1.6.0 ≤ 𝑥 < 1.6.11
debian	debian_linux	11.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

roundcube

bookworm	1.6.5+dfsg-1+deb12u6 fixed
bookworm (security)	1.6.5+dfsg-1+deb12u7 fixed
bullseye	vulnerable
bullseye (security)	1.4.15+dfsg.1-1+deb11u7 fixed
forky	1.6.13+dfsg-1 fixed
sid	1.6.13+dfsg-1 fixed
trixie	1.6.12+dfsg-0+deb13u1 fixed
trixie (security)	1.6.13+dfsg-0+deb13u1 fixed

Ubuntu Releases

Ubuntu Product

Codename

roundcube

bionic	Fixed 1.3.6+dfsg.1-1ubuntu0.1~esm5 released
focal	Fixed 1.4.3+dfsg.1-1ubuntu0.1~esm5 released
jammy	Fixed 1.5.0+dfsg.1-2ubuntu0.1~esm4 released
noble	Fixed 1.6.6+dfsg-2ubuntu0.1 released
oracular	Fixed 1.6.8+dfsg-2ubuntu0.1 released
plucky	Fixed 1.6.10+dfsg-1ubuntu0.1 released
questing	not-affected
xenial	Fixed 1.2~beta+dfsg.1-0ubuntu1+esm6 released

Known Exploits!

Common Weakness Enumeration

CWE-502 - Deserialization of Untrusted Data
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Vulnerability Media Exposure

[GERMAN] Roundcube Webmail: Angriffe auf Sicherheitslücken laufen
Die IT-Sicherheitsbehörde CISA warnt vor aktuell beobachteten Angriffen auf Roundcube-Webmail-Schwachstellen. Admins sollten updaten.
Published: 2026-02-23T07:00:00+00:00

References

https://fearsoff.org/research/roundcube

https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d

https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695

https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e

https://github.com/roundcube/roundcubemail/pull/9865

https://github.com/roundcube/roundcubemail/releases/tag/1.5.10

https://github.com/roundcube/roundcubemail/releases/tag/1.6.11

https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10

https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-mitigation-script

https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-vulnerability-detection

http://www.openwall.com/lists/oss-security/2025/06/02/3

https://lists.debian.org/debian-lts-announce/2025/06/msg00008.html

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49113