CVE-2025-49113CISA KEV: Actively Exploited

RoundCube Webmail Deserialization of Untrusted Data Vulnerability

Published Feb 20, 2026·Updated Feb 20, 2026

Description

RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php.

Public Exploits & PoCs19 found

PoC: CVE-2025-49113-exploit

Proof of Concept demonstrating Remote Code Execution through insecure deserialization in Roundcube (CVE-2025-49113).

2

PoC: CVE-2025-49113-Scanner

A powerful Python scanner to detect CVE-2025-49113 vulnerability in Roundcube Webmail. Developed by Issam Junior (@issamiso).

1

PoC: CVE-2025-49113-nuclei-template

CVE-2025-49113 - Roundcube <= 1.6.10 Post-Auth RCE via PHP Object Deserialization

1

PoC: CVE-2025-49113

Detection for CVE-2025-49113

1

PoC: CVE-2025-49113-Roundcube-RCE

CVE-2025-49113 – Roundcube ≤1.6.10 post-auth RCE via PHP object deserialization (HackTheBox CTF)

PoC: CVE-2025-49113

Roundcube Webmail post-auth RCE via PHP object deserialization (CVE-2025-49113)

PoC: roundcube-cve-2025-49113-lab

Hands-on exploitation lab for Roundcube Webmail CVE-2025-49113 (authenticated PHP object deserialization → RCE) to read /secret.txt.

PoC: CVE-2025-49113-exploit.php

CVE-2025-49113 - Roundcube Remote Code Execution

PoC: CVE-2025-49113

Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization

PoC: CVE-2025-49113

Python Script for CVE-2025-49113. Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

PoC: CVE-2025-49113

POC of CVE-2025-49113

PoC: CVE-2025-49113-Roundcube-RCE-PHP

This is a rewritten exploit to work with php

PoC: CVE-2025-49113

💥 Python Exploit for CVE-2025-49113 | Roundcube Webmail RCE via PHP Object Injection

PoC: Roundcube_CVE-2025-49113

Explicação + Lab no THM

PoC: Blackash-CVE-2025-49113

CVE-2025-49113

PoC: WriteUp-Roundcube_CVE-2025-49113

Explicação+ WriteUp do Lab Tryhackme

PoC: CVE-2025-49113

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

PoC: Roundcube-CVE-2025-49113

Proof-of-concept to CVE-2025-49113

PoC: CVE-2025-49113

CVE-2025-49113 exploit

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Register your stack and get notified within minutes when a matching CVE drops.

Start monitoring free