Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:deb/debian/roundcube@1.4.15%2Bdfsg.1-1%2Bdeb11u5?distro=trixie

Type deb

Namespace debian

Name roundcube

Version 1.4.15+dfsg.1-1+deb11u5

Qualifiers

distro	trixie

Subpath

Is_vulnerable false

Next_non_vulnerable_version 1.4.15+dfsg.1-1+deb11u6

Latest_non_vulnerable_version 1.6.15+dfsg-1

Affected_by_vulnerabilities

Fixing_vulnerabilities

url VCID-3kyu-tx4q-p3aq

vulnerability_id VCID-3kyu-tx4q-p3aq

summary

Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49113.json

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49113.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-49113

reference_id

reference_type

scores

value	0.9042
scoring_system	epss
scoring_elements	0.99609
published_at	2026-04-24T12:55:00Z

value	0.90478
scoring_system	epss
scoring_elements	0.99609
published_at	2026-04-18T12:55:00Z

value	0.90891
scoring_system	epss
scoring_elements	0.99636
published_at	2026-04-21T12:55:00Z

value	0.91243
scoring_system	epss
scoring_elements	0.99653
published_at	2026-04-16T12:55:00Z

value	0.91574
scoring_system	epss
scoring_elements	0.9967
published_at	2026-04-02T12:55:00Z

value	0.91574
scoring_system	epss
scoring_elements	0.99675
published_at	2026-04-13T12:55:00Z

value	0.91574
scoring_system	epss
scoring_elements	0.99674
published_at	2026-04-09T12:55:00Z

value	0.91574
scoring_system	epss
scoring_elements	0.99673
published_at	2026-04-07T12:55:00Z

value	0.91574
scoring_system	epss
scoring_elements	0.99672
published_at	2026-04-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-49113

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49113
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49113

reference_url

https://fearsoff.org/research/roundcube

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-02-20T20:05:40Z/

url

https://fearsoff.org/research/roundcube

reference_url

https://github.com/roundcube/roundcubemail

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/roundcube/roundcubemail

reference_url

https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-02-20T20:05:40Z/

url

https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d

reference_url

https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-02-20T20:05:40Z/

url

https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695

reference_url

https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-02-20T20:05:40Z/

url

https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e

reference_url

https://github.com/roundcube/roundcubemail/pull/9865

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-02-20T20:05:40Z/

url

https://github.com/roundcube/roundcubemail/pull/9865

reference_url

https://github.com/roundcube/roundcubemail/releases/tag/1.5.10

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-02-20T20:05:40Z/

url

https://github.com/roundcube/roundcubemail/releases/tag/1.5.10

reference_url

https://github.com/roundcube/roundcubemail/releases/tag/1.6.11

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-02-20T20:05:40Z/

url

https://github.com/roundcube/roundcubemail/releases/tag/1.6.11

reference_url

https://lists.debian.org/debian-lts-announce/2025/06/msg00008.html

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2025/06/msg00008.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-49113

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-49113

reference_url

https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-02-20T20:05:40Z/

url

https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10

reference_url

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49113

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49113

reference_url

https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-mitigation-script

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-02-20T20:05:40Z/

url

https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-mitigation-script

reference_url

https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-vulnerability-detection

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-02-20T20:05:40Z/

url

https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-vulnerability-detection

reference_url

http://www.openwall.com/lists/oss-security/2025/06/02/3

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2025/06/02/3

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107073
reference_id	1107073
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107073

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2369696
reference_id	2369696
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2369696

reference_url	https://security.archlinux.org/ASA-202506-1
reference_id	ASA-202506-1
reference_type
scores
url	https://security.archlinux.org/ASA-202506-1

reference_url

https://security.archlinux.org/AVG-2891

reference_id

AVG-2891

reference_type

scores

value	Critical
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-2891

reference_url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52324.NA
reference_id	CVE-2025-49113
reference_type	exploit
scores
url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52324.NA

reference_url

https://github.com/advisories/GHSA-8j8w-wwqc-x596

reference_id

GHSA-8j8w-wwqc-x596

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8j8w-wwqc-x596

reference_url	https://usn.ubuntu.com/7584-1/
reference_id	USN-7584-1
reference_type
scores
url	https://usn.ubuntu.com/7584-1/

fixed_packages

url pkg:deb/debian/roundcube@1.4.15%2Bdfsg.1-1%2Bdeb11u4?distro=trixie

purl pkg:deb/debian/roundcube@1.4.15%2Bdfsg.1-1%2Bdeb11u4?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-rdb5-bbvn-7fcq

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.4.15%252Bdfsg.1-1%252Bdeb11u4%3Fdistro=trixie

url	pkg:deb/debian/roundcube@1.4.15%2Bdfsg.1-1%2Bdeb11u5?distro=trixie
purl	pkg:deb/debian/roundcube@1.4.15%2Bdfsg.1-1%2Bdeb11u5?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.4.15%252Bdfsg.1-1%252Bdeb11u5%3Fdistro=trixie

url	pkg:deb/debian/roundcube@1.6.5%2Bdfsg-1%2Bdeb12u5?distro=trixie
purl	pkg:deb/debian/roundcube@1.6.5%2Bdfsg-1%2Bdeb12u5?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.6.5%252Bdfsg-1%252Bdeb12u5%3Fdistro=trixie

url	pkg:deb/debian/roundcube@1.6.5%2Bdfsg-1%2Bdeb12u6?distro=trixie
purl	pkg:deb/debian/roundcube@1.6.5%2Bdfsg-1%2Bdeb12u6?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.6.5%252Bdfsg-1%252Bdeb12u6%3Fdistro=trixie

url	pkg:deb/debian/roundcube@1.6.11%2Bdfsg-1?distro=trixie
purl	pkg:deb/debian/roundcube@1.6.11%2Bdfsg-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.6.11%252Bdfsg-1%3Fdistro=trixie

url	pkg:deb/debian/roundcube@1.6.13%2Bdfsg-0%2Bdeb13u1?distro=trixie
purl	pkg:deb/debian/roundcube@1.6.13%2Bdfsg-0%2Bdeb13u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.6.13%252Bdfsg-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/roundcube@1.6.15%2Bdfsg-1?distro=trixie
purl	pkg:deb/debian/roundcube@1.6.15%2Bdfsg-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.6.15%252Bdfsg-1%3Fdistro=trixie

aliases CVE-2025-49113, GHSA-8j8w-wwqc-x596

risk_score 10.0

exploitability 2.0

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3kyu-tx4q-p3aq

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.4.15%252Bdfsg.1-1%252Bdeb11u5%3Fdistro=trixie

Package Instance