• Inviting everyone who uses WordPress management tools in Plesk
    The Plesk team is conducting a 60-minute research session that includes an interview and a moderated usability test.
    To participate, please use this link .
    Your experience will help shape product decisions and ensure the tools better support real-world use cases.

Resolved Roundcube vulnerability CVE-2025-49113

Hi, @Laurent_Chouraki . Thank you for the question. Our team is already working on updating Roundcube to 1.6.13 and backporting patches to 1.4. The plan is to introduce the changes along with Plesk Obsidian 18.0.76, which is scheduled for release on the 17th of February.
 
I am not entirely sure what exactly the impact is. There hasn't been an extensive investigation on it. Rather than that our team focused on delivering the update and the backport patches as quickly as possible.
 
Hi, @Kaspar . At his point, there is no plan to backport the changes to version 18.0.75. However, the decision can be reconsidered based on the CVE score and exploitability.
 
If you like to hold off on upgrading to Plesk 18.0.76 for a while to not get surprised by any yet unknown bugs or product issues, like I do, you can manually patch Roundcube with the attached patch file.

Code: 
tar -cvf backup-psa-roundcube.tar /usr/share/psa-roundcube/
wget -cO - https://talk.plesk.com/attachments/patch-roundcube-1-6-13-zip.29152/?hash=bc8b34c520188ef5247789512361b506 > patch.roundcube-1.6.13.zip
unzip patch.roundcube-1.6.13.zip
patch -p1 -d /usr/share/psa-roundcube < patch.roundcube-1.6.13
 

Attachments

  • patch.roundcube-1.6.13.zip
    2.6 KB · Views: 3
You must log in or register to reply here.

Similar threads

presswizards
Resolved No changelog on Oct-Nov 2025 Imunify AI-bolit vulnerability? Imunify extension patched or not?
Replies
2
Views
2K
presswizards
presswizards
Back
Top