CVE-2025-68461 – Roundcube Webmail Remote Code Execution and Cross-Site Scripting Vulnerabilities

This patch addresses two serious vulnerabilities in Roundcube Webmail, impacting both server integrity and user security.

CVE-2025-49113 – CVSS 9.9 (Critical)

This remote code execution vulnerability allows an authenticated attacker to exploit improper input handling in mail processing components. By delivering specially crafted content, an attacker can execute arbitrary code on the mail server. Successful exploitation could lead to full server compromise, unauthorized mailbox access, data theft, or persistent backdoor installation. The near-maximum severity reflects the high impact on confidentiality, integrity, and availability.

CVE-2025-68461 – CVSS 7.2 (High)

This stored cross-site scripting (XSS) vulnerability allows attackers to inject malicious JavaScript into email content. When a victim opens the message, the script executes within their authenticated session. This can result in session hijacking, credential theft, mailbox manipulation, and unauthorized actions performed as the victim.

There are no confirmed reports of active exploitation at this time. The update strengthens input validation, corrects unsafe parsing behavior, and improves output encoding protections to block script injection and prevent server-side code execution.