Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
In the file program/actions/settings/upload.php, the _from parameter passed in the URL is not subject to any validation. An attacker can submit a crafted payload that undergoes PHP Object Deserialization, leading to arbitrary code execution on the server side. The attack requires a valid user account in the application but does not require any administrative privileges.
An attacker can gain full control of the server running Roundcube Webmail — obtaining access to stored data, the ability to modify or permanently delete it, and potentially enabling lateral movement within the internal network.
Roundcube Webmail must be immediately updated to version 1.5.10 or 1.6.11. Patches are available in the project repository (commits: 0376f69, 7408f31, c50a07d). If immediate patching is not possible, it is recommended to restrict access to the Roundcube instance to trusted networks and implement enhanced monitoring of application logs.
Roundcube Webmail versions prior to 1.5.10 and in the 1.6.x branch before 1.6.11, as well as systems based on Debian Linux that distribute these package versions.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HDebian
OSDebian11.0Roundcube Webmail
APPRoundcube< 1.5.101.6.0 – 1.6.11 (bez)
CISA KEV — detailsi
- Vendori
- Roundcube
- Producti
- Webmail
- Added to KEVi
- February 20, 2026
- Remediation deadline (US Federal)i
- March 13, 2026(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php.
Related vulnerabilities
GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki
Apache Tomcat: Path Equivalence prowadzący do RCE i ujawnienia danych