Articles in this section

See more

CVE-2025-49113 Vulnerability in Roundcube on Plesk servers

Avatar
Pablo Alvarez
Updated
Plesk for Linux kb: technical kb: security

Applicable to:

  • Plesk for Linux

Situation

The vulnerability CVE-2025-49113, which allows remote code execution by authenticated users, has been discovered in Roundcube.

Impact

Roundcube Webmail versions lower than 1.5.10 and 1.6.11 are affected.

Resolution

Install the latest Plesk updates to patch this vulnerability: How to upgrade Plesk to the next release

To deliver the patch as quickly as possible, Plesk backported it to 1.6.10 and 1.4.15. To make sure the patched version is installed, check the build number by running this command:

# (p=$(rpm -qa 2>/dev/null || dpkg -l 2>/dev/null) && echo "$p" | grep -i roundcube | grep -oE '[0-9]{6}' | while read v; do [ "$v" -lt 250601 ] && echo "Roundcube is not patched. Update Plesk" || echo "The patched Roundcube version is already installed"; done)

If an update is not possible, patch manually

Note: These patches were not tested with Roundcube versions earlier than 1.4.x and 1.6.x

Roudcube Webmail 1.6.10

  1. Download the patch to the server:

    # wget https://support.plesk.com/hc/en-us/article_attachments/32537223826583/patch-roundcube-1.6.10-CVE-2025-49113

  2. Apply it by running:

    # patch -p1 -d /usr/share/psa-roundcube < patch-roundcube-1.6.10-CVE-2025-49113

Roundcube Webmail 1.4.15 (CentOS 7 and Ubuntu 18)

  1. Download the patch to the server:

    # wget https://support.plesk.com/hc/en-us/article_attachments/32537223821463/patch-roundcube-1.4.15-CVE-2025-49113

  2. Apply it by running:

    # patch -p1 -d /usr/share/psa-roundcube < patch-roundcube-1.4.15-CVE-2025-49113

Comments

4 comments

Sort by Date Votes
  • Avatar
    B Pfl

    According to the CVE entry, only version 1.6.11 fixes this. In contrast, https://docs.plesk.com/release-notes/obsidian/change-log/ claims that the included update to 1.6.10 already solves this. Seems rather confusing.

    0
  • Avatar
    Jon Doe

    The update installs “1.6.10-v.debian.12+p18.0.69.4+t250603.2043” (.4 instead of .3 before). This doesn't clearly state if the version is safe, quite the opposite actually. Plesk Please release version 1.6.11

    1
  • Avatar
    Anton Maslov

    Hi, thank you for bringing this to our attention. While Roundcube version 1.6.11 includes multiple changes, to deliver the security update to our clients as quickly as possible, we chose to backport the fix to versions 1.6.10 and 1.4.15 instead.

    0
  • Avatar
    Esteve Castelló Bernal

    After upgrading Plesk to 18.0.70-v.ubuntu.24.04 , in Plesk/Tools and Settings/Plesk Components I see roundcube 1.6.10-v.ubuntu.24.04+p18.0.70.1 , so this version would already be patched. Is this correct?

    0

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles