ELA-1462-1 roundcube security update

remote code execution

2025-06-17
Packageroundcube
Version1.3.17+dfsg.1-1~deb10u8 (buster)
Related CVEs CVE-2025-49113


Kirill Firsov discovered that Roundcube, a skinnable AJAX based webmail solution for IMAP servers, was performing PHP Object deserialization on unvalidated input, which could lead to remote code execution by an authenticated attacker.



For Debian 10 buster, these problems have been fixed in version 1.3.17+dfsg.1-1~deb10u8.

We recommend that you upgrade your roundcube packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.