Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution.
https://lists.horde.org/archives/announce/2020/001285.html
https://lists.debian.org/debian-lts-announce/2020/04/msg00008.html