Critical Vulnerability Discovered in Roundcube Webmail After a Decade

A researcher has discovered a critical vulnerability in Roundcube Webmail that has been present for a decade. Identified under the number CVE-2025-49113 with a CVSS score of 9.9, this flaw allows any authenticated user to gain full control of the server and execute arbitrary code. Patches were released on June 1st in versions 1.6.11 and 1.5.10 LTS. Without updates, thousands of servers remain vulnerable.