CVE-2025-49113: RoundCube Webmail Deserialization of Untrusted Data

RoundCube Webmail Deserialization of Untrusted Data Vulnerability. RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php.

• CISA KEV-listed (remediation due 2026-03-13)
• EPSS 90.5% (99.6% percentile)

Browse the CVE database

Read the full analysis on IntelFusions