• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • Support for BIND DNS has been removed from Plesk for Windows due to security and maintenance risks.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS.

Issue Roundcube vulnerability CVE-2025-49113

Mark_NLD

Basic Pleskian
Server operating system version
Ubuntu 24.04
Plesk version and microupdate number
18.0.56 #2
Roundcube has a new vulnerability: CVE-2025-49113

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

Aleksander Machniak has released a secutity update: Roundcube Webmail 1.6.11

When can we expect this fix to be included in Plesk?
 
Roundcube has a new vulnerability: CVE-2025-49113
Aleksander Machniak has released a secutity update: Roundcube Webmail 1.6.11
When can we expect this fix to be included in Plesk?
In addition to the important post above (i.e. Plesk upgrading their support, to enable us all to utilize Roundcube 1.6.11 asap) can Plesk - at the same time - please ensure that Roundcube 1.6.11 (when hosted within Plesk) IS available on PHP 8.4.* NOT just PHP 8.3.* > because currently, we're (yet again) 'stuck' as Plesk (since 18.0.67) still only supports Roundcube on PHP 8.3.* > and in many cases (ours included) PHP 8.3.* isn't needed for anything else...
 
Please find the patch here:


can Plesk - at the same time - please ensure that Roundcube 1.6.11 (when hosted within Plesk) IS available on PHP 8.4.* NOT just PHP 8.3.* > because currently, we're (yet again) 'stuck' as Plesk (since 18.0.67) still only supports Roundcube on PHP 8.3.* > and in many cases (ours included) PHP 8.3.* isn't needed for anything else...

I will double-check when we plan to move Roundcube to PHP 8.4 and will follow up with more details as soon as possible.
 
Thank you @Sebahat.hadzhi That's the most urgent fix very quickly resolved.
In between steps 1. and 2. of the the syntax provided in that patch article, one obvious step is missing, so just posting it here, in case anybody forgets:

Either rename the file to match what the patch command expects:
Bash:
mv 32537223826583 patch-roundcube-1.6.10-CVE-2025-49113
patch -p1 -d /usr/share/psa-roundcube < patch-roundcube-1.6.10-CVE-2025-49113
Or use the actual filename in the patch command:
Bash:
patch -p1 -d /usr/share/psa-roundcube < 32537223826583
Both methods work obviously — It's just ensuring that the filename in the redirect < matches the actual file on disk
 
Thank you for pointing that out. I asked our team to add the step and they will update it shortly.

Regarding your other question, our team mentioned that according to Roundcube's documentation, version 1.6 (which we are currently ship) doesn't support 8.4. Thus, at this point, there is no plan for such a shift.
 
Regarding your other question, our team mentioned that according to Roundcube's documentation, version 1.6 (which we are currently ship) doesn't support 8.4. Thus, at this point, there is no plan for such a shift.
My apologies. I was meaning; Roundcube version 1.6.11, as I was assuming that Plesk would be upgrading to that shortly.
However, in fairness, just double checked and Roundcube, won't now fully support PHP 8.4, until version 1.7 > onward anyway, so... :D
 
Back
Top