The U.S. Cybersecurity and Infrastructure Security Agency, CISA, has added two flaws in the widely used email client Roundcube Webmail to its catalog of known actively exploited vulnerabilities. This is not a case of theoretical risk or academic curiosity — both issues have already been observed in real-world attacks.
A Near-Perfect Score for Attackers
The first vulnerability, tracked as CVE-2025-49113, carries a CVSS score of 9.9, which is about as close to “maximum trouble” as it gets. The flaw allows an authenticated user to execute arbitrary code on the server due to improper input handling in the file upload module. Affected versions include Roundcube up to 1.5.10, as well as the 1.6.x branch up to and including 1.6.11. Evidence of exploitation surfaced shortly after the issue was publicly disclosed, suggesting that some actors were more than ready to put it to use.
SVG Tags That Do More Than Draw Pictures
The second issue, CVE-2025-68461 with a CVSS score of 7.2, involves cross-site scripting via SVG documents. Malicious code can be executed in a user’s browser without their knowledge, triggered by specially crafted tags. This vulnerability was also exploited in the wild before it earned a place in the official catalog.
CISA noted that U.S. federal agencies are required to remediate these and other actively exploited vulnerabilities within specified deadlines under a directive introduced in 2021. While the mandate formally applies only to government networks, an unpatched mail server tends to attract attention regardless of its owner’s legal obligations.
Email platforms have long been a favored entry point for cybercriminals and even state-backed groups, as compromising a mail server can expose correspondence, credentials, and other sensitive data. In that light, the Roundcube case reads less like an isolated incident and more like another reminder that email remains a high-value target — and that the list of actively exploited vulnerabilities is very much a working document, not a historical archive.