Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-49113
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Description
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信数据的反序列化
Source: NVD (National Vulnerability Database)
Vulnerability Title
Roundcube Webmail 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Roundcube Webmail是Roundcube开源的一款基于浏览器的开源IMAP客户端,它支持地址薄管理、信息搜索、拼写检查等。 Roundcube Webmail 1.5.10之前版本和 1.6.11之前版本存在安全漏洞,该漏洞源于未验证_from参数,可能导致PHP对象反序列化攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
VendorProductAffected VersionsCPESubscribe
RoundcubeWebmail 0 ~ 1.5.10 -
II. Public POCs for CVE-2025-49113
#POC DescriptionSource LinkShenlong Link
1Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-49113.yamlPOC Details
2Detection for CVE-2025-49113https://github.com/rxerium/CVE-2025-49113POC Details
3CVE-2025-49113 - Roundcube <= 1.6.10 Post-Auth RCE via PHP Object Deserializationhttps://github.com/Ademking/CVE-2025-49113-nuclei-templatePOC Details
4Nonehttps://github.com/fearsoff-org/CVE-2025-49113POC Details
5Nonehttps://github.com/rasool13x/exploit-CVE-2025-49113POC Details
6CVE-2025-49113 exploithttps://github.com/SyFi/CVE-2025-49113POC Details
7Proof of Concept demonstrating Remote Code Execution through insecure deserialization in Roundcube (CVE-2025-49113).https://github.com/hakaioffsec/CVE-2025-49113-exploitPOC Details
8Proof-of-concept to CVE-2025-49113https://github.com/BiiTts/Roundcube-CVE-2025-49113POC Details
9Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.https://github.com/Yuri08loveElaina/CVE-2025-49113POC Details
10CVE-2025-49113https://github.com/B1ack4sh/Blackash-CVE-2025-49113POC Details
11Explicação + Lab no THMhttps://github.com/5kr1pt/Roundcube_CVE-2025-49113POC Details
12Nonehttps://github.com/punitdarji/roundcube-cve-2025-49113POC Details
13A powerful Python scanner to detect CVE-2025-49113 vulnerability in Roundcube Webmail. Developed by Issam Junior (@issamiso).https://github.com/issamjr/CVE-2025-49113-ScannerPOC Details
14Nonehttps://github.com/hackmelocal/HML-CVE-2025-49113-Round-CubePOC Details
15Nonehttps://github.com/Joelp03/CVE-2025-49113POC Details
16Nonehttps://github.com/hackmelocal/CVE-2025-49113-SimulationPOC Details
17💥 Python Exploit for CVE-2025-49113 | Roundcube Webmail RCE via PHP Object Injectionhttps://github.com/00xCanelo/CVE-2025-49113POC Details
18Nonehttps://github.com/CyberQuestor-infosec/CVE-2025-49113-Roundcube_1.6.10POC Details
19This is a rewritten exploit to work with phphttps://github.com/SteamPunk424/CVE-2025-49113-Roundcube-RCE-PHPPOC Details
20POC of CVE-2025-49113https://github.com/Zwique/CVE-2025-49113POC Details
21Python Script for CVE-2025-49113. Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.https://github.com/AC8999/CVE-2025-49113POC Details
22Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserializationhttps://github.com/LeakForge/CVE-2025-49113POC Details
23Nonehttps://github.com/Zuack55/Roundcube-1.6.10-Post-Auth-RCE-CVE-2025-49113-POC Details
24CVE-2025-49113 - Roundcube Remote Code Executionhttps://github.com/l4f2s4/CVE-2025-49113_exploit_cookiesPOC Details
25Hands-on exploitation lab for Roundcube Webmail CVE-2025-49113 (authenticated PHP object deserialization → RCE) to read /secret.txt.https://github.com/ankitpandey383/roundcube-cve-2025-49113-labPOC Details
26CVE-2025-49113https://github.com/Ashwesker/Blackash-CVE-2025-49113POC Details
27CVE-2025-49113https://github.com/Ashwesker/Ashwesker-CVE-2025-49113POC Details
28Nonehttps://github.com/Evillm/CVE-2025-49113-PoCPOC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC
III. Intelligence Information for CVE-2025-49113
Please Login to view more intelligence information
IV. Related Vulnerabilities
Same product: Webmail
Same vendor: Roundcube
Same weakness: CWE-502
V. Comments for CVE-2025-49113
Anonymous User
2026-01-15 06:09:53

Zaproxy alias impedit expedita quisquam pariatur exercitationem. Nemo rerum eveniet dolores rem quia dignissimos.

Leave a comment