An RCE vulnerability was recently discovered in horde, which can be exploited with the only requirement being that the victim opens a malicious email.
Horde Webmail has been currently disabled until a patch is released.
Please note, you can still access webmail using Roundcube.