cPanel prior to 60.0.25 allows arbitrary file-overwrite operations during a Roundcube update (SEC-164).
cpanel cpanel