CISA Adds Two Actively Exploited Flaws in Roundcube
⚠️ CISA has added two Roundcube webmail vulnerabilities — CVE-2025-49113 and CVE-2025-68461 — to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. CVE-2025-49113 (CVSS 9.9) is an authenticated deserialization flaw allowing remote code execution via an unvalidated _from parameter and was fixed in June 2025. CVE-2025-68461 (CVSS 7.2) is an XSS triggered by the SVG animate tag and was patched in December 2025 in Roundcube releases 1.6.12 and 1.5.12. Researchers reported weaponization within 48 hours and an exploit was offered for sale; FCEB agencies must remediate by March 13, 2026.
