// wall of bugs caught

10 critical bugs
PullLight would have caught in your PRs.

Every card below is a real bug flagged during PR review — CVEs, CWEs, before/after code. No competitors have a page like this. Try it on your own PR →

13
Total catches
10
Critical
3
High
10
CVSS ≥ 9
5
Languages
Severity:
All Critical High Medium
| Language:
All JavaScript TypeScript Python Java PHP Rust Go
Sort by: Highest CVSS Newest Oldest
critical # deserialization PHP CVE-2025-49113
PHP Object Deserialization via _from Parameter
Roundcube's mail composition endpoint passes the _from POST parameter to PHP's unserialize() — attacker crafts a POP chain via installed PHP classes to achieve RCE with webserver privileges.
Before / after code snippet
Before (vulnerable)
// BEFORE (vulnerable)
$from = unserialize($_POST['_from']); // attacker-controlled!
$identity = $from->get_identity();
After (fixed)
// AFTER (fixed)
if (!rcube_utils::is_simple_string($_POST['_from'])) {
  throw new Exception('Invalid _from parameter');
}
$from = $_POST['_from'];
CVSS 9.9 CWE-502 Jun 2025 View walkthrough →
Browse full case studies with diffs & analysis →
Install in 60 seconds — free for OSS. Watch PullLight flag bugs like these in your PRs.
Install on GitHub →