The developers of Roundcube Webmail have released security updates for their long-term support (LTS) versions 1.5 and 1.6. These updates fix a recently identified security vulnerability that could potentially be exploited by malicious actors.
A security flaw, identified as CVE-2025-49113, affects all versions of Roundcube released before 1.5.10 and 1.6.11. This vulnerability allows an attacker with access to a user account to execute malicious code remotely on the server. The flaw involves the “_from” parameter in URLs, which was not properly validated, leading to a security risk called remote code execution.
This means a malicious user could potentially take control of the server, access sensitive data, or perform other harmful activities. The issue was reported by security researcher Kirill Firsov.
The latest versions — 1.5.10 and 1.6.11 — include critical patches that address this security flaw, preventing exploitation.
If you use Roundcube Webmail in your organization, it is strongly recommended to update to these new versions immediately. Keeping your software up-to-date is essential to protect your data and ensure your email system remains secure and reliable.
In addition to fixing the vulnerability, these updates contain numerous improvements and bug fixes to enhance stability, usability, and compatibility. Highlights include:
- Fixes related to email folder management, LDAP connections, and message previews.
- Improvements to the installer and user interface.
- Fixes for dark mode display issues and email attachment handling.
- General bug fixes to improve overall performance.
These updates address a critical security vulnerability that could allow unauthorized code execution, which might compromise your server. Promptly updating your installation is essential to maintain a secure and stable email environment.
Visit the official Roundcube download page or follow your current update process. To learn more about Roundcube’s latest updates, visit their website post.
Leave a Reply