This is a POC for CVE-2018-20718. It is a PHP Object injection vulnerability. The vulnerability affect all version of Pydio before 8.2.1 and leads to Unauthenticated Remote Code Execution. It was originaly found by RIPS.
I found a gadget in Pydio\Core\Controller\ShutdownScheduler which allows remote code execution if combined with the already known GuzzleHttp\Psr7\FnStream gadget.
Exemple of exploitation
Technical details
https://blog.ripstech.com/2018/pydio-unauthenticated-remote-code-execution/