Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-8j8w-wwqc-x596

GitHub Security Advisory

Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization

✓ GitHub Reviewed CRITICAL Has CVE
View on GitHub

Advisory Details

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

Affected Packages

Packagist roundcube/roundcubemail
Affected versions: 0
Packagist roundcube/roundcubemail
Affected versions: 1.6.0

Related CVEs

CVE-2025-49113

Key Information

GHSA ID
GHSA-8j8w-wwqc-x596
Published
June 2, 2025 6:30 AM
Last Modified
June 13, 2025 8:45 PM
CVSS Score
9.0 /10
Primary Ecosystem
Packagist
Primary Package
roundcube/roundcubemail
GitHub Reviewed
✓ Yes

Dataset

Last updated: June 14, 2025 6:24 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.