CVE-2025-49113: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-49113 affects Roundcube Webmail versions before 1.5.10 and 1.6.x before 1.6.11. The vulnerability allows remote code execution by authenticated users due to improper validation of the _from parameter in program/actions/settings/upload.php, which leads to PHP Object Deserialization (NVD, Roundcube News).

The vulnerability is classified as a PHP Object Deserialization issue (CWE-502) where the _from parameter in a URL is not properly validated in the upload.php file. The CVSS v3.1 score is 9.9 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact across confidentiality, integrity, and availability (NVD).

The vulnerability has a critical severity rating with potential for complete system compromise. As a post-authentication remote code execution vulnerability, it allows authenticated users to execute arbitrary code on the affected system, potentially leading to full system compromise (NVD).

The vulnerability has been fixed in Roundcube Webmail versions 1.5.10 and 1.6.11. System administrators are strongly recommended to update all productive installations to these versions immediately. The fix includes improved validation of URL parameters and the implementation of a helper method to check for simple strings (Roundcube News, GitHub Release).

The security update has received positive community response, with multiple users reacting positively to the release announcement on GitHub. The fix was acknowledged as an important security update, with 11 users giving it a thumbs up reaction (GitHub Release).