CVE-2025-49113
CISA KEVPublished February 20, 2026 · Updated April 3, 2026
What This Means
# CVE-2025-49113: Roundcube Webmail Authenticated RCE **What it is:** Roundcube Webmail fails to validate the `_from` parameter in `program/actions/settings/upload.php`, allowing deserialization of untrusted data. An authenticated attacker can craft a malicious request to execute arbitrary code on the server. **Impact:** Any user with valid Roundcube credentials can achieve remote code execution with the privileges of the web server process, leading to full system compromise, data exfiltration, or lateral movement within your mail infrastructure. **Action required:** Update Roundcube to the patched version immediately. If patched versions are unavailable, implement WAF rules to block requests with suspicious `_from` parameter values in the upload.php endpoint, and audit access logs for exploitation attempts. Restrict Roundcube access to trusted networks pending remediation.
Official Description+
RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php.
Affected Products
| Vendor | Product |
|---|---|
| Roundcube | Webmail |
Patch Status
Recommended Actions
- Check if your systems use any of the affected products listed above.
- Apply vendor patches immediately if available.
- This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
- Monitor vendor advisories for updates and additional mitigations.
- Review logs for indicators of compromise related to CVE-2025-49113.