### Vulnerability Summary - **Summary/Description**: This is a remote code execution (RCE) vulnerability caused by insecure PHP deserialization. An authenticated user can execute arbitrary system commands. The vulnerability exists in the `AbstractSettingsCollection` model, where settings are loaded and the system fails to properly map `SerializedObject` instances to their intended types, allowing attackers to load arbitrary objects and achieve RCE. - **Affected Versions**: 26.0.11 (latest) - **Patched Versions**: 26.0.12, 25.0.0, 6.8.156 - **Severity**: 10.0 / 10 (Critical) - **Details**: The vulnerability is located in the `_loadSettings()` method within `groupware/modules/common/classes/AbstractSettingsCollection.php`. This method automatically deserializes settings for specific modules or components. It uses `var_export()` in combination with `file()` and blindly passes the remaining string to PHP’s `eval()` function without any class validation,