The widely distributed open-source webmail software Roundcube has a highly critical vulnerability in version 1.2.2 that allows a malicious user to remotely execute arbitrary commands on the underlying operating system by writing an email with a specific payload, which can be triggered by exploiting insufficient sanitization of user-controlled input in PHP's mail() function and configuration requirements such as safe_mode being turned off. The vulnerability is exploited when an attacker modifies the _from parameter in an HTTP request to place a malicious PHP file on the file system, allowing for arbitrary code execution. A proof-of-concept demonstrates the attack scenario, and the Roundcube team has released an updated version 1.2.3 with a fix after only one week of coordination with the vendor, showcasing their professional response towards security issues.