rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOpensuse Backports Sle
APPOpensuse15.0Opensuse Leap
OSOpensuse15.115.2Roundcube Webmail
APPRoundcube1.2.0 – 1.2.10 (bez)1.3.0 – 1.3.11 (bez)1.4.0 – 1.4.4 (bez)
CISA KEV — detailsi
- Vendori
- Roundcube
- Producti
- Roundcube Webmail
- Added to KEVi
- June 22, 2023
- Remediation deadline (US Federal)i
- July 13, 2023(overdue)
Apply updates per vendor instructions.
Roundcube Webmail contains an remote code execution vulnerability that allows attackers to execute code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
Related vulnerabilities
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)
XSS w Roundcube Webmail umożliwiający kradzież i wysyłkę wiadomości e-mail
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_par...
An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the...