Roundcube before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution

Administrators should promptly update their Roundcube webmail installations to the latest version. The developers have fixed a security vulnerability in recent releases that could allow malicious code to be executed on affected systems.

According to this, the “critical” vulnerability (CVE-2025-49113) has been patched in versions 1.5.10 and 1.6.11. All earlier versions are believed to be vulnerable.

Although the flaw is rated as critical, attackers must be authenticated to exploit it. The issue arises because the _from parameter in URLs pointing to `program/actions/settings/upload.php is not properly validated, allowing attackers to execute their own code.

A successful attack is likely to result in full compromise of the affected instance.

To be clear, exploiting Roundcube in a properly configured Virtualmin system can only ever result in the domain account being compromised, because all web apps run as the domain owner user. That’s still very serious, of course, as it means everything in the domain, including user mail and databases, are compromised, and you probably can’t ever trust anything in the domain home again without restoring from a pre-exploit backup.

Virtualmin already has these new versions available, if you’ve got dynamic script updates enabled. It was committed a couple days ago. New roundcube versions · virtualmin/virtualmin-gpl@585966c · GitHub