Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-3kyu-tx4q-p3aq

Summary

Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

Aliases

alias	CVE-2025-49113

alias	GHSA-8j8w-wwqc-x596

Fixed_packages

url	pkg:alpm/archlinux/roundcubemail@1.6.11-1
purl	pkg:alpm/archlinux/roundcubemail@1.6.11-1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/roundcubemail@1.6.11-1

url pkg:deb/debian/roundcube@1.4.15%2Bdfsg.1-1%2Bdeb11u4?distro=trixie

purl pkg:deb/debian/roundcube@1.4.15%2Bdfsg.1-1%2Bdeb11u4?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-rdb5-bbvn-7fcq

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.4.15%252Bdfsg.1-1%252Bdeb11u4%3Fdistro=trixie

url	pkg:deb/debian/roundcube@1.4.15%2Bdfsg.1-1%2Bdeb11u5?distro=trixie
purl	pkg:deb/debian/roundcube@1.4.15%2Bdfsg.1-1%2Bdeb11u5?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.4.15%252Bdfsg.1-1%252Bdeb11u5%3Fdistro=trixie

url	pkg:deb/debian/roundcube@1.6.5%2Bdfsg-1%2Bdeb12u5?distro=trixie
purl	pkg:deb/debian/roundcube@1.6.5%2Bdfsg-1%2Bdeb12u5?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.6.5%252Bdfsg-1%252Bdeb12u5%3Fdistro=trixie

url	pkg:deb/debian/roundcube@1.6.5%2Bdfsg-1%2Bdeb12u6?distro=trixie
purl	pkg:deb/debian/roundcube@1.6.5%2Bdfsg-1%2Bdeb12u6?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.6.5%252Bdfsg-1%252Bdeb12u6%3Fdistro=trixie

url	pkg:deb/debian/roundcube@1.6.5%2Bdfsg-1%2Bdeb12u6
purl	pkg:deb/debian/roundcube@1.6.5%2Bdfsg-1%2Bdeb12u6
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.6.5%252Bdfsg-1%252Bdeb12u6

url	pkg:deb/debian/roundcube@1.6.11%2Bdfsg-1?distro=trixie
purl	pkg:deb/debian/roundcube@1.6.11%2Bdfsg-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.6.11%252Bdfsg-1%3Fdistro=trixie

url	pkg:deb/debian/roundcube@1.6.13%2Bdfsg-0%2Bdeb13u1?distro=trixie
purl	pkg:deb/debian/roundcube@1.6.13%2Bdfsg-0%2Bdeb13u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.6.13%252Bdfsg-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/roundcube@1.6.15%2Bdfsg-1?distro=trixie
purl	pkg:deb/debian/roundcube@1.6.15%2Bdfsg-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.6.15%252Bdfsg-1%3Fdistro=trixie

Affected_packages

url pkg:alpm/archlinux/roundcubemail@1.6.10-1

purl pkg:alpm/archlinux/roundcubemail@1.6.10-1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3kyu-tx4q-p3aq

resource_url http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/roundcubemail@1.6.10-1

url pkg:composer/roundcube/roundcubemail@1.6.0

purl pkg:composer/roundcube/roundcubemail@1.6.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3kyu-tx4q-p3aq

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/roundcube/roundcubemail@1.6.0

url pkg:deb/debian/roundcube@0.3.1-6

purl pkg:deb/debian/roundcube@0.3.1-6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-14vp-t71a-4bh1

vulnerability	VCID-1aph-76b1-eyhv

vulnerability	VCID-23v8-vzqs-j3f6

vulnerability	VCID-2eyy-k49d-m3af

vulnerability	VCID-2hap-9mqs-v3b8

vulnerability	VCID-2k4q-26tk-j3gx

vulnerability	VCID-2nb2-9vgp-tqg9

vulnerability	VCID-36et-26h7-pke7

vulnerability	VCID-3kyu-tx4q-p3aq

vulnerability	VCID-489e-j7sj-5kgv

vulnerability	VCID-4yzj-hrqv-vbcp

vulnerability	VCID-53mq-nmxf-eug3

vulnerability	VCID-5yts-xnha-4bf3

vulnerability	VCID-76t7-q4pa-gkct

vulnerability	VCID-79me-pjdn-ykgq

vulnerability	VCID-7hh1-8grz-7fa9

vulnerability	VCID-7nn6-aywu-z7g8

vulnerability	VCID-8keg-wbj1-8ua9

vulnerability	VCID-8vmm-1hvf-17ap

vulnerability	VCID-8xf2-hjfv-hybh

vulnerability	VCID-9der-5csu-nbbq

vulnerability	VCID-9ktu-55q4-3kau

vulnerability	VCID-9uqr-ph81-gfef

vulnerability	VCID-9uv1-gqq7-3kc9

vulnerability	VCID-brmp-djyb-q3b7

vulnerability	VCID-c196-941x-8kfj

vulnerability	VCID-c4ys-1wzp-vqej

vulnerability	VCID-cjkd-2jr6-n7as

vulnerability	VCID-ck88-1urs-2kes

vulnerability	VCID-cnkc-vcp7-6kcw

vulnerability	VCID-ddfq-28qm-2fbn

vulnerability	VCID-dzu5-531f-qqgy

vulnerability	VCID-ekhg-mmjb-v3c3

vulnerability	VCID-fuh5-bwaq-yyfk

vulnerability	VCID-g7dn-kxs3-p7bx

vulnerability	VCID-gh6k-19h8-fqbf

vulnerability	VCID-hg1a-vx5c-hue3

vulnerability	VCID-j29t-cw2h-mfd8

vulnerability	VCID-ja7n-zgpp-dfh4

vulnerability	VCID-jck5-xymf-s3bh

vulnerability	VCID-jqs5-8ct7-wfgk

vulnerability	VCID-kch8-wrzv-bfdm

vulnerability	VCID-kep3-256k-fqdm

vulnerability	VCID-kf54-x29g-63fb

vulnerability	VCID-kyxz-v3sj-w3cw

vulnerability	VCID-m4yc-ms54-zyhv

vulnerability	VCID-ncbg-6m11-3qan

vulnerability	VCID-qfyq-umv5-e7h1

vulnerability	VCID-qr2m-f4yw-qqa5

vulnerability	VCID-qwak-6wgy-wfgs

vulnerability	VCID-r1hb-f5nm-ykhk

vulnerability	VCID-rc91-j3kf-zfch

vulnerability	VCID-rthq-fqk2-yydk

vulnerability	VCID-s6p1-rf35-euhy

vulnerability	VCID-spk8-q616-rkda

vulnerability	VCID-tmch-gj6d-tyfq

vulnerability	VCID-ts1p-pw9v-cbh3

vulnerability	VCID-u8a4-4pe2-9kcb

vulnerability	VCID-ub6x-9dku-c7fk

vulnerability	VCID-ur1a-7tdn-h3hu

vulnerability	VCID-vehj-ytsm-kqgz

vulnerability	VCID-vtz8-zmp4-xbdh

vulnerability	VCID-x9j7-98zt-6ygt

vulnerability	VCID-xssa-fwbx-kybq

vulnerability	VCID-ybv7-hqmj-nbgr

vulnerability	VCID-yerh-ssat-abah

vulnerability	VCID-yv5x-shsw-57cv

vulnerability	VCID-z3kp-p8ch-myhz

vulnerability	VCID-z7fn-ubfx-g3em

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@0.3.1-6

url pkg:deb/debian/roundcube@0.3.1-6%2Bdeb6u1

purl pkg:deb/debian/roundcube@0.3.1-6%2Bdeb6u1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-14vp-t71a-4bh1

vulnerability	VCID-1aph-76b1-eyhv

vulnerability	VCID-23v8-vzqs-j3f6

vulnerability	VCID-2eyy-k49d-m3af

vulnerability	VCID-2hap-9mqs-v3b8

vulnerability	VCID-2k4q-26tk-j3gx

vulnerability	VCID-2nb2-9vgp-tqg9

vulnerability	VCID-36et-26h7-pke7

vulnerability	VCID-3kyu-tx4q-p3aq

vulnerability	VCID-489e-j7sj-5kgv

vulnerability	VCID-4yzj-hrqv-vbcp

vulnerability	VCID-53mq-nmxf-eug3

vulnerability	VCID-5yts-xnha-4bf3

vulnerability	VCID-76t7-q4pa-gkct

vulnerability	VCID-79me-pjdn-ykgq

vulnerability	VCID-7hh1-8grz-7fa9

vulnerability	VCID-7nn6-aywu-z7g8

vulnerability	VCID-8keg-wbj1-8ua9

vulnerability	VCID-8vmm-1hvf-17ap

vulnerability	VCID-8xf2-hjfv-hybh

vulnerability	VCID-9der-5csu-nbbq

vulnerability	VCID-9ktu-55q4-3kau

vulnerability	VCID-9uqr-ph81-gfef

vulnerability	VCID-9uv1-gqq7-3kc9

vulnerability	VCID-brmp-djyb-q3b7

vulnerability	VCID-c196-941x-8kfj

vulnerability	VCID-c4ys-1wzp-vqej

vulnerability	VCID-cjkd-2jr6-n7as

vulnerability	VCID-ck88-1urs-2kes

vulnerability	VCID-cnkc-vcp7-6kcw

vulnerability	VCID-ddfq-28qm-2fbn

vulnerability	VCID-dzu5-531f-qqgy

vulnerability	VCID-ekhg-mmjb-v3c3

vulnerability	VCID-fuh5-bwaq-yyfk

vulnerability	VCID-g7dn-kxs3-p7bx

vulnerability	VCID-gh6k-19h8-fqbf

vulnerability	VCID-hg1a-vx5c-hue3

vulnerability	VCID-j29t-cw2h-mfd8

vulnerability	VCID-ja7n-zgpp-dfh4

vulnerability	VCID-jck5-xymf-s3bh

vulnerability	VCID-jqs5-8ct7-wfgk

vulnerability	VCID-kch8-wrzv-bfdm

vulnerability	VCID-kep3-256k-fqdm

vulnerability	VCID-kf54-x29g-63fb

vulnerability	VCID-kyxz-v3sj-w3cw

vulnerability	VCID-m4yc-ms54-zyhv

vulnerability	VCID-ncbg-6m11-3qan

vulnerability	VCID-qfyq-umv5-e7h1

vulnerability	VCID-qr2m-f4yw-qqa5

vulnerability	VCID-qwak-6wgy-wfgs

vulnerability	VCID-r1hb-f5nm-ykhk

vulnerability	VCID-rc91-j3kf-zfch

vulnerability	VCID-rthq-fqk2-yydk

vulnerability	VCID-s6p1-rf35-euhy

vulnerability	VCID-spk8-q616-rkda

vulnerability	VCID-tmch-gj6d-tyfq

vulnerability	VCID-ts1p-pw9v-cbh3

vulnerability	VCID-u8a4-4pe2-9kcb

vulnerability	VCID-ub6x-9dku-c7fk

vulnerability	VCID-ur1a-7tdn-h3hu

vulnerability	VCID-vehj-ytsm-kqgz

vulnerability	VCID-vtz8-zmp4-xbdh

vulnerability	VCID-x9j7-98zt-6ygt

vulnerability	VCID-xssa-fwbx-kybq

vulnerability	VCID-ybv7-hqmj-nbgr

vulnerability	VCID-yerh-ssat-abah

vulnerability	VCID-yv5x-shsw-57cv

vulnerability	VCID-z3kp-p8ch-myhz

vulnerability	VCID-z7fn-ubfx-g3em

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@0.3.1-6%252Bdeb6u1

url pkg:deb/debian/roundcube@0.7.2-9%2Bdeb7u2

purl pkg:deb/debian/roundcube@0.7.2-9%2Bdeb7u2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-14vp-t71a-4bh1

vulnerability	VCID-23v8-vzqs-j3f6

vulnerability	VCID-2eyy-k49d-m3af

vulnerability	VCID-2hap-9mqs-v3b8

vulnerability	VCID-2k4q-26tk-j3gx

vulnerability	VCID-2nb2-9vgp-tqg9

vulnerability	VCID-36et-26h7-pke7

vulnerability	VCID-3kyu-tx4q-p3aq

vulnerability	VCID-489e-j7sj-5kgv

vulnerability	VCID-4yzj-hrqv-vbcp

vulnerability	VCID-5yts-xnha-4bf3

vulnerability	VCID-76t7-q4pa-gkct

vulnerability	VCID-79me-pjdn-ykgq

vulnerability	VCID-7nn6-aywu-z7g8

vulnerability	VCID-8vmm-1hvf-17ap

vulnerability	VCID-8xf2-hjfv-hybh

vulnerability	VCID-9der-5csu-nbbq

vulnerability	VCID-9ktu-55q4-3kau

vulnerability	VCID-9uqr-ph81-gfef

vulnerability	VCID-9uv1-gqq7-3kc9

vulnerability	VCID-brmp-djyb-q3b7

vulnerability	VCID-c4ys-1wzp-vqej

vulnerability	VCID-cjkd-2jr6-n7as

vulnerability	VCID-ck88-1urs-2kes

vulnerability	VCID-cnkc-vcp7-6kcw

vulnerability	VCID-ddfq-28qm-2fbn

vulnerability	VCID-dzu5-531f-qqgy

vulnerability	VCID-ekhg-mmjb-v3c3

vulnerability	VCID-fuh5-bwaq-yyfk

vulnerability	VCID-g7dn-kxs3-p7bx

vulnerability	VCID-gh6k-19h8-fqbf

vulnerability	VCID-hg1a-vx5c-hue3

vulnerability	VCID-j29t-cw2h-mfd8

vulnerability	VCID-ja7n-zgpp-dfh4

vulnerability	VCID-jck5-xymf-s3bh

vulnerability	VCID-jqs5-8ct7-wfgk

vulnerability	VCID-kf54-x29g-63fb

vulnerability	VCID-kyxz-v3sj-w3cw

vulnerability	VCID-m4yc-ms54-zyhv

vulnerability	VCID-ncbg-6m11-3qan

vulnerability	VCID-qr2m-f4yw-qqa5

vulnerability	VCID-qwak-6wgy-wfgs

vulnerability	VCID-r1hb-f5nm-ykhk

vulnerability	VCID-rc91-j3kf-zfch

vulnerability	VCID-rthq-fqk2-yydk

vulnerability	VCID-s6p1-rf35-euhy

vulnerability	VCID-spk8-q616-rkda

vulnerability	VCID-tmch-gj6d-tyfq

vulnerability	VCID-ts1p-pw9v-cbh3

vulnerability	VCID-u8a4-4pe2-9kcb

vulnerability	VCID-ub6x-9dku-c7fk

vulnerability	VCID-ur1a-7tdn-h3hu

vulnerability	VCID-vehj-ytsm-kqgz

vulnerability	VCID-vtz8-zmp4-xbdh

vulnerability	VCID-x9j7-98zt-6ygt

vulnerability	VCID-xssa-fwbx-kybq

vulnerability	VCID-ybv7-hqmj-nbgr

vulnerability	VCID-yerh-ssat-abah

vulnerability	VCID-yv5x-shsw-57cv

vulnerability	VCID-z3kp-p8ch-myhz

vulnerability	VCID-z7fn-ubfx-g3em

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@0.7.2-9%252Bdeb7u2

url pkg:deb/debian/roundcube@1.1.5%2Bdfsg.1-1~bpo8%2B5

purl pkg:deb/debian/roundcube@1.1.5%2Bdfsg.1-1~bpo8%2B5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-14vp-t71a-4bh1

vulnerability	VCID-2eyy-k49d-m3af

vulnerability	VCID-2hap-9mqs-v3b8

vulnerability	VCID-2k4q-26tk-j3gx

vulnerability	VCID-2nb2-9vgp-tqg9

vulnerability	VCID-36et-26h7-pke7

vulnerability	VCID-3kyu-tx4q-p3aq

vulnerability	VCID-4yzj-hrqv-vbcp

vulnerability	VCID-5yts-xnha-4bf3

vulnerability	VCID-79me-pjdn-ykgq

vulnerability	VCID-7nn6-aywu-z7g8

vulnerability	VCID-8vmm-1hvf-17ap

vulnerability	VCID-8xf2-hjfv-hybh

vulnerability	VCID-9der-5csu-nbbq

vulnerability	VCID-9ktu-55q4-3kau

vulnerability	VCID-9uv1-gqq7-3kc9

vulnerability	VCID-brmp-djyb-q3b7

vulnerability	VCID-c4ys-1wzp-vqej

vulnerability	VCID-cjkd-2jr6-n7as

vulnerability	VCID-ck88-1urs-2kes

vulnerability	VCID-cnkc-vcp7-6kcw

vulnerability	VCID-ddfq-28qm-2fbn

vulnerability	VCID-ekhg-mmjb-v3c3

vulnerability	VCID-fuh5-bwaq-yyfk

vulnerability	VCID-gh6k-19h8-fqbf

vulnerability	VCID-hg1a-vx5c-hue3

vulnerability	VCID-j29t-cw2h-mfd8

vulnerability	VCID-jck5-xymf-s3bh

vulnerability	VCID-jqs5-8ct7-wfgk

vulnerability	VCID-kyxz-v3sj-w3cw

vulnerability	VCID-m4yc-ms54-zyhv

vulnerability	VCID-ncbg-6m11-3qan

vulnerability	VCID-qwak-6wgy-wfgs

vulnerability	VCID-rc91-j3kf-zfch

vulnerability	VCID-rthq-fqk2-yydk

vulnerability	VCID-s6p1-rf35-euhy

vulnerability	VCID-spk8-q616-rkda

vulnerability	VCID-tmch-gj6d-tyfq

vulnerability	VCID-ts1p-pw9v-cbh3

vulnerability	VCID-u8a4-4pe2-9kcb

vulnerability	VCID-ub6x-9dku-c7fk

vulnerability	VCID-ur1a-7tdn-h3hu

vulnerability	VCID-vehj-ytsm-kqgz

vulnerability	VCID-vtz8-zmp4-xbdh

vulnerability	VCID-x9j7-98zt-6ygt

vulnerability	VCID-xssa-fwbx-kybq

vulnerability	VCID-ybv7-hqmj-nbgr

vulnerability	VCID-yerh-ssat-abah

vulnerability	VCID-z3kp-p8ch-myhz

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.1.5%252Bdfsg.1-1~bpo8%252B5

url pkg:deb/debian/roundcube@1.2.3%2Bdfsg.1-4%2Bdeb9u6

purl pkg:deb/debian/roundcube@1.2.3%2Bdfsg.1-4%2Bdeb9u6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-14vp-t71a-4bh1

vulnerability	VCID-2eyy-k49d-m3af

vulnerability	VCID-2hap-9mqs-v3b8

vulnerability	VCID-2k4q-26tk-j3gx

vulnerability	VCID-2nb2-9vgp-tqg9

vulnerability	VCID-36et-26h7-pke7

vulnerability	VCID-3kyu-tx4q-p3aq

vulnerability	VCID-4yzj-hrqv-vbcp

vulnerability	VCID-5yts-xnha-4bf3

vulnerability	VCID-79me-pjdn-ykgq

vulnerability	VCID-7nn6-aywu-z7g8

vulnerability	VCID-8vmm-1hvf-17ap

vulnerability	VCID-8xf2-hjfv-hybh

vulnerability	VCID-9der-5csu-nbbq

vulnerability	VCID-9ktu-55q4-3kau

vulnerability	VCID-9uv1-gqq7-3kc9

vulnerability	VCID-cjkd-2jr6-n7as

vulnerability	VCID-ck88-1urs-2kes

vulnerability	VCID-cnkc-vcp7-6kcw

vulnerability	VCID-ddfq-28qm-2fbn

vulnerability	VCID-fuh5-bwaq-yyfk

vulnerability	VCID-gh6k-19h8-fqbf

vulnerability	VCID-hg1a-vx5c-hue3

vulnerability	VCID-j29t-cw2h-mfd8

vulnerability	VCID-jck5-xymf-s3bh

vulnerability	VCID-jqs5-8ct7-wfgk

vulnerability	VCID-kyxz-v3sj-w3cw

vulnerability	VCID-m4yc-ms54-zyhv

vulnerability	VCID-ncbg-6m11-3qan

vulnerability	VCID-qwak-6wgy-wfgs

vulnerability	VCID-rc91-j3kf-zfch

vulnerability	VCID-s6p1-rf35-euhy

vulnerability	VCID-ts1p-pw9v-cbh3

vulnerability	VCID-u8a4-4pe2-9kcb

vulnerability	VCID-ub6x-9dku-c7fk

vulnerability	VCID-ur1a-7tdn-h3hu

vulnerability	VCID-vehj-ytsm-kqgz

vulnerability	VCID-vtz8-zmp4-xbdh

vulnerability	VCID-x9j7-98zt-6ygt

vulnerability	VCID-xssa-fwbx-kybq

vulnerability	VCID-ybv7-hqmj-nbgr

vulnerability	VCID-z3kp-p8ch-myhz

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.2.3%252Bdfsg.1-4%252Bdeb9u6

url pkg:deb/debian/roundcube@1.3.17%2Bdfsg.1-1~deb10u2

purl pkg:deb/debian/roundcube@1.3.17%2Bdfsg.1-1~deb10u2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-14vp-t71a-4bh1

vulnerability	VCID-2eyy-k49d-m3af

vulnerability	VCID-2hap-9mqs-v3b8

vulnerability	VCID-2k4q-26tk-j3gx

vulnerability	VCID-2nb2-9vgp-tqg9

vulnerability	VCID-36et-26h7-pke7

vulnerability	VCID-3kyu-tx4q-p3aq

vulnerability	VCID-4yzj-hrqv-vbcp

vulnerability	VCID-5yts-xnha-4bf3

vulnerability	VCID-79me-pjdn-ykgq

vulnerability	VCID-7nn6-aywu-z7g8

vulnerability	VCID-8vmm-1hvf-17ap

vulnerability	VCID-8xf2-hjfv-hybh

vulnerability	VCID-9der-5csu-nbbq

vulnerability	VCID-9uv1-gqq7-3kc9

vulnerability	VCID-cjkd-2jr6-n7as

vulnerability	VCID-ck88-1urs-2kes

vulnerability	VCID-cnkc-vcp7-6kcw

vulnerability	VCID-ddfq-28qm-2fbn

vulnerability	VCID-gh6k-19h8-fqbf

vulnerability	VCID-hg1a-vx5c-hue3

vulnerability	VCID-jck5-xymf-s3bh

vulnerability	VCID-jqs5-8ct7-wfgk

vulnerability	VCID-kyxz-v3sj-w3cw

vulnerability	VCID-m4yc-ms54-zyhv

vulnerability	VCID-ncbg-6m11-3qan

vulnerability	VCID-qwak-6wgy-wfgs

vulnerability	VCID-rc91-j3kf-zfch

vulnerability	VCID-s6p1-rf35-euhy

vulnerability	VCID-u8a4-4pe2-9kcb

vulnerability	VCID-ub6x-9dku-c7fk

vulnerability	VCID-vehj-ytsm-kqgz

vulnerability	VCID-vtz8-zmp4-xbdh

vulnerability	VCID-x9j7-98zt-6ygt

vulnerability	VCID-xssa-fwbx-kybq

vulnerability	VCID-ybv7-hqmj-nbgr

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.3.17%252Bdfsg.1-1~deb10u2

url pkg:deb/debian/roundcube@1.4.15%2Bdfsg.1-1%2Bdeb11u4

purl pkg:deb/debian/roundcube@1.4.15%2Bdfsg.1-1%2Bdeb11u4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2hap-9mqs-v3b8

vulnerability	VCID-2nb2-9vgp-tqg9

vulnerability	VCID-3kyu-tx4q-p3aq

vulnerability	VCID-4yzj-hrqv-vbcp

vulnerability	VCID-5yts-xnha-4bf3

vulnerability	VCID-8vmm-1hvf-17ap

vulnerability	VCID-8xf2-hjfv-hybh

vulnerability	VCID-9uv1-gqq7-3kc9

vulnerability	VCID-ck88-1urs-2kes

vulnerability	VCID-ddfq-28qm-2fbn

vulnerability	VCID-gh6k-19h8-fqbf

vulnerability	VCID-rdb5-bbvn-7fcq

vulnerability	VCID-ub6x-9dku-c7fk

vulnerability	VCID-vtz8-zmp4-xbdh

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.4.15%252Bdfsg.1-1%252Bdeb11u4

References

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49113.json

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49113.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-49113

reference_id

reference_type

scores

value	0.90478
scoring_system	epss
scoring_elements	0.99609
published_at	2026-04-18T12:55:00Z

value	0.90891
scoring_system	epss
scoring_elements	0.99636
published_at	2026-04-21T12:55:00Z

value	0.91243
scoring_system	epss
scoring_elements	0.99653
published_at	2026-04-16T12:55:00Z

value	0.91574
scoring_system	epss
scoring_elements	0.9967
published_at	2026-04-02T12:55:00Z

value	0.91574
scoring_system	epss
scoring_elements	0.99675
published_at	2026-04-13T12:55:00Z

value	0.91574
scoring_system	epss
scoring_elements	0.99674
published_at	2026-04-09T12:55:00Z

value	0.91574
scoring_system	epss
scoring_elements	0.99673
published_at	2026-04-07T12:55:00Z

value	0.91574
scoring_system	epss
scoring_elements	0.99672
published_at	2026-04-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-49113

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49113
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49113

reference_url

https://fearsoff.org/research/roundcube

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-02-20T20:05:40Z/

url

https://fearsoff.org/research/roundcube

reference_url

https://github.com/roundcube/roundcubemail

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/roundcube/roundcubemail

reference_url

https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-02-20T20:05:40Z/

url

https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d

reference_url

https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-02-20T20:05:40Z/

url

https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695

reference_url

https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-02-20T20:05:40Z/

url

https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e

reference_url

https://github.com/roundcube/roundcubemail/pull/9865

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-02-20T20:05:40Z/

url

https://github.com/roundcube/roundcubemail/pull/9865

reference_url

https://github.com/roundcube/roundcubemail/releases/tag/1.5.10

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-02-20T20:05:40Z/

url

https://github.com/roundcube/roundcubemail/releases/tag/1.5.10

reference_url

https://github.com/roundcube/roundcubemail/releases/tag/1.6.11

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-02-20T20:05:40Z/

url

https://github.com/roundcube/roundcubemail/releases/tag/1.6.11

reference_url

https://lists.debian.org/debian-lts-announce/2025/06/msg00008.html

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2025/06/msg00008.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-49113

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-49113

reference_url

https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-02-20T20:05:40Z/

url

https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10

reference_url

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49113

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49113

reference_url

https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-mitigation-script

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-02-20T20:05:40Z/

url

https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-mitigation-script

reference_url

https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-vulnerability-detection

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-02-20T20:05:40Z/

url

https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-vulnerability-detection

reference_url

http://www.openwall.com/lists/oss-security/2025/06/02/3

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2025/06/02/3

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107073
reference_id	1107073
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107073

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2369696
reference_id	2369696
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2369696

reference_url	https://security.archlinux.org/ASA-202506-1
reference_id	ASA-202506-1
reference_type
scores
url	https://security.archlinux.org/ASA-202506-1

reference_url

https://security.archlinux.org/AVG-2891

reference_id

AVG-2891

reference_type

scores

value	Critical
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-2891

reference_url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52324.NA
reference_id	CVE-2025-49113
reference_type	exploit
scores
url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52324.NA

reference_url

https://github.com/advisories/GHSA-8j8w-wwqc-x596

reference_id

GHSA-8j8w-wwqc-x596

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8j8w-wwqc-x596

reference_url	https://usn.ubuntu.com/7584-1/
reference_id	USN-7584-1
reference_type
scores
url	https://usn.ubuntu.com/7584-1/

Weaknesses

cwe_id	502
name	Deserialization of Untrusted Data
description	The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

date_added	2026-02-20
description	RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php.
required_action	Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
due_date	2026-03-13
notes	https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 ; https://github.com/roundcube/roundcubemail/releases/tag/1.5.10 ; https://github.com/roundcube/roundcubemail/releases/tag/1.6.11 ; https://nvd.nist.gov/vuln/detail/CVE-2025-49113
known_ransomware_campaign_use	`false`
source_date_published	`null`
exploit_type	`null`
platform	`null`
source_date_updated	`null`
data_source	KEV
source_url	`null`

date_added	2025-06-13
description	Roundcube 1.6.10 - Remote Code Execution (RCE)
required_action	`null`
due_date	`null`
notes	`null`
known_ransomware_campaign_use	`false`
source_date_published	2025-06-13
exploit_type	webapps
platform	multiple
source_date_updated	2025-06-13
data_source	Exploit-DB
source_url

date_added	`null`
description	Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. An attacker can execute arbitrary system commands as the web server.
required_action	`null`
due_date	`null`
notes	Stability: - crash-safe SideEffects: - ioc-in-logs Reliability: - repeatable-session
known_ransomware_campaign_use	`false`
source_date_published	2025-06-02
exploit_type	`null`
platform	Linux,Unix
source_date_updated	`null`
data_source	Metasploit
source_url	https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/roundcube_auth_rce_cve_2025_49113.rb

Severity_range_score 9.0 - 10.0

Exploitability 2.0

Weighted_severity 9.0

Risk_score 10.0

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3kyu-tx4q-p3aq

Vulnerability Instance