There is a remote code execution bug in horde affecting all versions from
at least horde 3.1.x to 5.1.1.
This has been fixed in commit
https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3
Also check changelog
https://github.com/horde/horde/blob/82c400788537cfc0106b68447789ff53793ac086/bundles/groupware/docs/CHANGES#L215

Can you please assign a CVE for this issue?

Thanks in advance.

PS: while I discovered this bug independently reviewing horde3 code, the
full credit should go to the horde maintainers as they discovered and fixed
it first on horde5.

framework/Util/lib/Horde/Variables.php
@@ -61,7 +61,9 @@ static public function getDefaultVariables($sanitize = false)
      * Constructor.
      *
      * @param array $vars       The list of form variables (if null, defaults
-     *                          to PHP's $_REQUEST value).
+     *                          to PHP's $_REQUEST value). If '_formvars'
+     *                          exists, it must be a JSON encoded array that
+     *                          contains the list of allowed form variables.
      * @param string $sanitize  Sanitize the input variables?
      */
     public function __construct($vars = array(), $sanitize = false)
@@ -72,7 +74,7 @@ public function __construct($vars = array(), $sanitize = false)
         }

         if (isset($vars['_formvars'])) {
-            $this->_expected = @unserialize($vars['_formvars']);
+            $this->_expected = @json_decode($vars['_formvars'], true);
             unset($vars['_formvars']);

         }

Regards
Pedro