The Horde webmail application has a vulnerability that allows an attacker to fully take over an instance as soon as a victim opens an email the attacker sent, without requiring further interaction from the user. The vulnerability exists in the default configuration and can be exploited with no knowledge of a targeted Horde instance. An authenticated user can execute arbitrary code on the underlying server by sending a maliciously crafted email that triggers the vulnerability via Cross-Site-Request-Forgery (CSRF). This allows an attacker to intercept every sent and received email, access password-reset links, and steal all credentials of users logging into the webmail service. The vendor has not released a patch at the time of writing, making it crucial for organizations using Horde webmail to consider alternative solutions.