Fixed Intel

CISA Known Exploited Vulnerability

This vulnerability is actively exploited in the wild and listed in the CISA Known Exploited Vulnerabilities catalog.

Remediation Deadline: Mar 13, 2026

CVE-2025-49113

High
EPSS 90.4%CISA KEV
Roundcube/Webmail

Description

RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php.

EPSS — Exploit Probability

90.4%

Higher than 99.6% of all CVEs

Required Action

https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 ; https://github.com/roundcube/roundcubemail/releases/tag/1.5.10 ; https://github.com/roundcube/roundcubemail/releases/tag/1.6.11 ; https://nvd.nist.gov/vuln/detail/CVE-2025-49113

Related Articles (1)

Vulnerabilities

CISA Adds Two Known Exploited Vulnerabilities to Catalog

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

Feb 20, 2026

Risk Assessment

HIGH
In CISA KEV
High EPSS

Details

Severity
High
EPSS
90.4%
CISA KEV
Yes
Ransomware
Unknown
Articles
1

Timeline

Published

Feb 20, 2026

Added to KEV

Feb 20, 2026

Remediation Due

Mar 13, 2026

Affected Product

Roundcube

Webmail

View all Roundcube CVEs

External Links

NVD (NIST)CVE DetailsMITRE CVE