html2text.php in RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch.

More... (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5619)