Overview
Roundcube has released fixes for critical and high severity vulnerabilities affecting Roundcube Webmail. The first is a post authentication RCE via PHP object deserialization that allows remote code executions by authenticated users, the second is a cross-site scripting (XSS) vulnerability through the SVG animate tag.
- CVE-2025-49113: Post-Auth Remote Code Execution in Roundcube via PHP Object Deserialization (CVSSv3 9.9). Affected versions: <1.5.10, 1.6.x < 1.6.11.
- CVE-2025-68461: Roundcube Webmail Cross-site Scripting (CVSSv3 7.2). Affected versions: <1.5.12, 1.6.x < 1.6.12.
SolarWinds has released a critical vulnerability affecting Serv-U in which broken access control could let an attacker with domain/group admin privileges create a system admin user and execute code with root/SYSTEM permissions.
- CVE-2025-40538: SolarWinds Serv-U Broken Access Control Remote Code Execution (CVSSv3 9.1). Affected versions: < 15.5.4.
n8n has released a critical vulnerability affecting its workflow automation platform where flaws in the expression evaluation/sandbox could allow an authenticated user with workflow edit permissions to execute system commands on the host. Several other critical vulnerabilities have been identified, and more details on these can be found in the link below.
- CVE-2026-27577: Expression Sandbox Escape Leads to Remote Code Execution (CVSSv4 9.4). Affected versions: < 1.123.22, >= 2.0.0 and < 2.9.3, and >= 2.10.0 and < 2.10.1.
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Roundcube - Roundcube Webmail News
SolarWinds - SolarWinds Trust Center Security Advisories | CVE-2025-40538
n8n - Security Bulletin: February 25, 2026 - Security Advisories - n8n Community
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.