| Package | roundcube |
|---|---|
| Version | 1.3.17+dfsg.1-1~deb10u8 (buster) |
| Related CVEs | CVE-2025-49113 |
Kirill Firsov discovered that Roundcube, a skinnable AJAX based webmail solution for IMAP servers, was performing PHP Object deserialization on unvalidated input, which could lead to remote code execution by an authenticated attacker.
For Debian 10 buster, these problems have been fixed in version 1.3.17+dfsg.1-1~deb10u8.
We recommend that you upgrade your roundcube packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.