Two Actively Exploited Roundcube Vulnerabilities Added to CISA KEV Catalog

First reported

21.02.2026 09:21

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

CISA added two vulnerabilities in Roundcube webmail software to its KEV catalog, citing active exploitation. CVE-2025-49113 (CVSS 9.9) allows remote code execution via untrusted data deserialization, while CVE-2025-68461 (CVSS 7.2) is a cross-site scripting flaw. Both vulnerabilities were patched in 2025, but exploits have been developed and sold. The flaws have been linked to nation-state actors in the past. FCEB agencies must remediate by March 13, 2026.

Timeline

21.02.2026 09:21 1 articles · 15h ago

CISA Adds Two Actively Exploited Roundcube Flaws to KEV Catalog
CISA added CVE-2025-49113 and CVE-2025-68461 to its KEV catalog due to active exploitation. CVE-2025-49113 allows remote code execution and was weaponized within 48 hours of disclosure. CVE-2025-68461 is a cross-site scripting flaw. FCEB agencies must remediate by March 13, 2026.
Show sources

CISA Adds Two Actively Exploited Roundcube Flaws to KEV Catalog — thehackernews.com — 21.02.2026 09:21
Open in new tab

Information Snippets

CVE-2025-49113 is a deserialization of untrusted data vulnerability with a CVSS score of 9.9, allowing remote code execution by authenticated users.
First reported: 21.02.2026 09:21

1 source, 1 article
Show sources
- CISA Adds Two Actively Exploited Roundcube Flaws to KEV Catalog — thehackernews.com — 21.02.2026 09:21
CVE-2025-68461 is a cross-site scripting vulnerability via the animate tag in an SVG document, with a CVSS score of 7.2.
First reported: 21.02.2026 09:21

1 source, 1 article
Show sources
- CISA Adds Two Actively Exploited Roundcube Flaws to KEV Catalog — thehackernews.com — 21.02.2026 09:21
CVE-2025-49113 was discovered by Kirill Firsov of FearsOff and was weaponized within 48 hours of public disclosure.
First reported: 21.02.2026 09:21

1 source, 1 article
Show sources
- CISA Adds Two Actively Exploited Roundcube Flaws to KEV Catalog — thehackernews.com — 21.02.2026 09:21
An exploit for CVE-2025-49113 was made available for sale on June 4, 2025.
First reported: 21.02.2026 09:21

1 source, 1 article
Show sources
- CISA Adds Two Actively Exploited Roundcube Flaws to KEV Catalog — thehackernews.com — 21.02.2026 09:21
The vulnerabilities were patched in June and December 2025, respectively.
First reported: 21.02.2026 09:21

1 source, 1 article
Show sources
- CISA Adds Two Actively Exploited Roundcube Flaws to KEV Catalog — thehackernews.com — 21.02.2026 09:21
FCEB agencies must remediate the vulnerabilities by March 13, 2026.
First reported: 21.02.2026 09:21

1 source, 1 article
Show sources
- CISA Adds Two Actively Exploited Roundcube Flaws to KEV Catalog — thehackernews.com — 21.02.2026 09:21

Summary

Timeline

CISA Adds Two Actively Exploited Roundcube Flaws to KEV Catalog

Information Snippets