[SECURITY] [DSA 6317-1] symfony security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6317-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff June 01, 2026 https://www.debian.org/security/faq -...

GHSA-M7V2-7GXM-VC2V Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener

Description Symfony\Bridge\Monolog\Command\ServerLogCommand the server:log console command is a development-time helper that opens a TCP listener and displays log records pushed to it by the application's logging pipeline. Two unsafe defaults combine into a remotely reachable PHP...

Exploit for Deserialization of Untrusted Data in Roundcube Webmail

CVE-2025-49113 — Roundcube Post-Auth RCE via PHP Object Deseri...

VulnCheck KEV: CVE-2024-2053

The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user. This issue was demonstrated on version 4.50 of the The Artica-Proxy administrative web application attempts to...

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 / 25.04 : Roundcube vulnerability (USN-7584-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 / 25.04 host has packages installed that are affected by a vulnerability as referenced in the USN-7584-1 advisory. It was discovered that Roundcube Webmail did not properly sanitize the from parameter in a URL,...

Ubuntu: Security Advisory (USN-7584-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

USN-7584-1: Roundcube vulnerability

It was discovered that Roundcube Webmail did not properly sanitize the from parameter in a URL, leading to PHP Object Deserialization. A remote attacker could possibly use this issue to execute arbitrary code...

Exploit for CVE-2025-49113

CVE‑2025‑49113 – Post‑Auth Remote Code Execution in Roundcube...

Roundcube 1.6.10 - Remote Code Execution (RCE)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization', 'Description' = %q Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allo...

Fedora 42 : roundcubemail (2025-70701de9de)

The remote Fedora 42 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-70701de9de advisory. This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to recently reported security vulnerabilities: Fix Post-Auth RCE...

Fedora 41 : roundcubemail (2025-a5f56fe8ff)

The remote Fedora 41 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-a5f56fe8ff advisory. This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to recently reported security vulnerabilities: Fix Post-Auth RCE...

Exploit for CVE-2025-49113

CVE-2025-49113 PoC Repository Overview of CVE-2025-49113 C...

Exploit for CVE-2025-49113

📧 Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserializat...

FreeBSD : Post-Auth Remote Code Execution found in Roundcube Webmail (0d6094a2-4095-11f0-8c92-00d861a0e66d)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 0d6094a2-4095-11f0-8c92-00d861a0e66d advisory. Roundcube Webmail reports: Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v Tenable...

Critical 10-Year-Old Roundcube Webmail Bug Allows Authenticated Users Run Malicious Code

Cybersecurity researchers have disclosed details of a critical security flaw in the Roundcube webmail software that has gone unnoticed for a decade and could be exploited to take over susceptible systems and execute arbitrary code. The vulnerability, tracked as CVE-2025-49113 , carries a CVSS sco...

Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization...

GHSA-8J8W-WWQC-X596 Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization...

CVE-2025-49113

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization...

CVE-2025-49113

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization...

CVE-2025-49113

CVE-2025-49113 affects Roundcube Webmail (Roundscube core) with PHP Object Deserialization via the unvalidated _from parameter in actions/settings/upload.php. The issue allows remote code execution by an authenticated user. Public advisories confirm RCE implications and that patches were released...