The spell checker plugin (check_me.mod.php) for SquirrelMail before 1.2.3 allows remote attackers to execute arbitrary commands via a modified sqspell_command parameter.
https://exchange.xforce.ibmcloud.com/vulnerabilities/7990
http://archives.neohapsis.com/archives/bugtraq/2002-01/0306.html