CVE-2025-49113

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization...

Roundcube Webmail 代码问题漏洞

RoundCube Webmail is a browser-based open source multi-language IMAP client , using PHP + Ajax development , to provide a desktop application-like interface and complete mail management features . Roundcube Webmail has a deserialization vulnerability , the vulnerability stems from the...

CVE-2025-49113

CVE-2025-49113 affects Roundcube Webmail (Roundscube core) with PHP Object Deserialization via the unvalidated _from parameter in actions/settings/upload.php. The issue allows remote code execution by an authenticated user. Public advisories confirm RCE implications and that patches were released...

PT-2025-23470 · Roundcube · Roundcube

Name of the Vulnerable Software and Affected Versions: Roundcube versions prior to 1.6.11 Description: The issue is related to a Post-Auth RCE via PHP Object Deserialization in Roundcube. It is estimated that over 53 million hosts are potentially affected. The bug has existed undetected for 10...

Debian dsa-5934 : roundcube - security update

The remote Debian 12 host has packages installed that are affected by a vulnerability as referenced in the dsa-5934 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-5934-1 [email protected] https://www.debian.org/security/ Moritz...

DSA-5934-1 roundcube - security update

Bulletin has no description...

CVE-2025-49113

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization...

Roundcube Webmail RCE Vulnerability (Jun 2025) - Windows

Roundcube Webmail is prone to an authenticated remote code execution RCE vulnerability via php object deserialization. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders...

Roundcube Webmail RCE Vulnerability (Jun 2025) - Linux

Roundcube Webmail is prone to an authenticated remote code execution RCE vulnerability via php object deserialization. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders...

Post-Auth Remote Code Execution found in Roundcube Webmail

Roundcube Webmail reports: Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v...

Vulnerabilities of Western logistics

Vulnerabilities of Western logistics. On May 21, Western intelligence agencies released joint advisory AA25-141A about attacks targeting infrastructure of Western logistics and tech companies. Alongside the usual Five Eyes, intelligence services from Germany, Czech Republic, Poland, Denmark,...

Exploit for Cross-site Scripting in Roundcube Webmail

CVE-2024-42008-9-exploit The scripts in this repository are ma...

Exploit for Cross-site Scripting in Roundcube Webmail

CVE-2024-42009 PoC: Email Capture Listener & XSS Exploit in Ro...

CVE-2023-43770

Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcubestringreplacer.php behavior...

CVE-2021-46144

Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets CSS token sequences...

CVE-2020-15562

An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns aka XML namespace attribute of a HEAD element when an SVG element exists...

CVE-2016-10770

cPanel before 60.0.25 allows arbitrary file-overwrite operations during a Roundcube update SEC-164...

📄 Roundcube 1.6.6 Cross Site Scripting

Roundcube mail server versions earlier than 1.5.6 and 1.6 through 1.6.6 suffer from a persistent cross site scripting vulnerability. Exploit Title: Roundcube mail server exploit for CVE-2024-37383 Stored XSS Google Dork: Exploit Author: AmirZargham Vendor Homepage: Roundcube - Free and Open Sourc...

Roundcube Webmail 1.6.6 - Stored Cross Site Scripting (XSS)

Exploit Title: Roundcube Webmail 1.6.6 - Stored Cross Site Scripting XSS Google Dork: Exploit Author: AmirZargham Vendor Homepage: Roundcube - Free and Open Source Webmail Software Software Link: Releases · roundcube/roundcubemail Version: Roundcube client version earlier than 1.5.6 or from 1.6 t...

Linux Distros Unpatched Vulnerability : CVE-2019-15237

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks. CVE-2019-15237 Note that Nessus relies on the presence of t...