CVE-2026-48939: iCagenda unauthenticated file upload RCE in public event submission form
CVE-2026-48939 is verified against iCagenda · joomla affected versions: iCagenda 3.2.1 through 3.9.14 and 4.0.0 through 4.0.7 (ticket also notes 1.0.0 through 4.0.7) fixed version: 3.9.15 / 4.0.8 vulnerability class: RCE This critical reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00259.
pruva-verify REPRO-2026-00259 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00259/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh The frontend public event submission form in iCagenda allows unauthenticated users to upload arbitrary files via the attachment field. Files are stored under /images/icagenda/frontend/attachments/ with their original extension and no extension/MIME/content validation. On Joomla 6 the uploaded PHP file is executable, yielding unauthenticated RCE.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.