CISA Adds Two Actively Exploited Vulnerabilities in Roundcube Webmail to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two actively exploited vulnerabilities in Roundcube Webmail to its Known Exploited Vulnerabilities (KEV) catalog. The flaws include a post-authentication remote code execution (RCE) vulnerability (CVE-2025-49113) and a cross-site scripting (XSS) vulnerability (CVE-2025-68461). Roundcube, a widely used webmail client in hosting and administration environments, is confirmed to be targeted in real-world attacks. No specific dates for the exploitation or vulnerability disclosure were provided in the alert. The inclusion in the KEV catalog indicates confirmed malicious activity leveraging these flaws.