Critical Security Flaw Discovered in Roundcube Webmail

Web administrators are urged to promptly update their Roundcube Webmail installations following the release of significant security updates. The developers have addressed a serious vulnerability that could allow malicious code to infiltrate systems.

The identified flaw, categorized as critical (CVE-2025-49113), affects versions 1.5.10 and 1.6.11, with all prior versions remaining susceptible. Although the vulnerability is deemed critical, attackers must be authenticated to exploit it, which adds a layer of complexity to potential attacks.

The vulnerability arises from inadequate validation of the from-parameter in URLs found in the program/actions/settings/upload.php file. This oversight enables attackers to execute their own code, posing a risk of complete system compromise after a successful breach.

While there are currently no reports of active attacks leveraging this vulnerability, it is crucial for administrators not to delay the installation of the security updates. The developers strongly recommend timely action to mitigate risks. According to researchers from FearsOff, this vulnerability has existed for a decade and affects more than 53 million hosts, underscoring the need for immediate preventative measures.

As organizations increasingly rely on webmail solutions for communication, ensuring the security of such platforms is paramount. The patch release serves as a reminder for all webmail users to maintain vigilant security practices and regularly update their software to safeguard against potential threats.