An unserialization vulnerability was recently discovered which affects the phar wrapper. Due to that phpMussel implements the phar wrapper for reading archives, this vulnerability also currently affects all currently supported versions of phpMussel to the extent of its ability to read archives.

I would strongly recommend that all phpMussel users disable archive checking in phpMussel until further notice. This can be achieved by setting check_archives to false in the phpMussel configuration (at which point, phpMussel would be unable to scan the content of archives, but would also be protected from this vulnerability).

Currently planning exactly how to resolve this problem for phpMussel, but it'll most likely involve a complete overhaul of how phpMussel handles archives, and involve completely ditching the phar wrapper in favour of something else. Anyway, I'll reply here with any relevant updates that happen, new information, etc, and announce here when the problem is resolved.