Hi, two new flaws were found in Roundcube, and a security update for stable versions 1.6 and 1.5 has been released.
CVE-2025-49113
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
CVE-2025-68461
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
Here, the release notes for version 1.6.11.
The release notes for version 1.5.10.
Remember to change to the proper version:
sed -Ei “s/^rc_v=‘1.6.11’/rc_v=‘1.6.13’/” /usr/local/hestia/install/upgrade/upgrade.conf
Here are the @sahsanu instructions, remember to backup and change to the proper version.