Recently it was announced that the Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows a remote code execution vulnerability (see CVE-2025-49113). We rapidly prepared and released the update on June 5 with the fix.
The updates should arrive automatically, but it's better to check.
We highly recommend that you ensure your servers have one of the following updates installed, depending on Plesk version:Plesk Obsidian 18.0.70 Update 1
Plesk Obsidian 18.0.69 Update 4
If you have no direct upgrade option available for your server, you can still consider Plesk server-to-server migration.
If you are concerning that your Plesk version doesn't have the update available, learn Plesk Lifecycle Policy.
Copyright © 2025 All Rights Reserved
Thailand (ภาษาไทย)
Worldwide (English)