EGroupware discloses three advisories in one batch — an auth-bypass RCE, an admin eval() RCE, and a mail-compose LFI
An authorization check in SmallPartMediaRecorder::ajax_upload() trusts a user-controlled participant_role value instead of the server-side course ACL, so a crafted upload request bypasses the teacher-only gate; combined with a separate file-read primitive, that chain reaches full RCE and is exploitable pre-auth if self-registration is enabled. A second bug lets an authenticated admin get OS-level RCE by uploading a malicious .xet eTemplate file — Widget::expand_name() escapes double quotes before eval() but never escapes backticks, and PHP executes backtick-wrapped shell commands inside double-quoted eval strings. A third, unrelated bug in mail compose treats file:// URIs as "not http" and passes them straight to file_get_contents(), reading arbitrary server files into outgoing mail. Patch to the fixed release now — if self-registration is on, treat this as pre-auth RCE and take the instance offline until patched.