Skip to content
Verified reproduction

CVE-2026-48939: iCagenda unauthenticated file upload RCE in public event submission form

CVE-2026-48939 is verified against iCagenda · joomla affected versions: iCagenda 3.2.1 through 3.9.14 and 4.0.0 through 4.0.7 (ticket also notes 1.0.0 through 4.0.7) fixed version: 3.9.15 / 4.0.8 vulnerability class: RCE This critical reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00259.

REPRO-2026-00259 iCagenda · joomla RCE Variant found Jul 6, 2026 .txt
Severity CRITICAL
Confidence HIGH
Reproduced in 107m 17s
Tool calls 597
Spend $18.76
Affected iCagenda 3.2.1 through 3.9.14 and 4.0.0 through 4.0.7 (ticket also notes 1.0.0 through 4.0.7)
Fixed in 3.9.15 / 4.0.8
$ pruva-verify REPRO-2026-00259
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00259/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

The frontend public event submission form in iCagenda allows unauthenticated users to upload arbitrary files via the attachment field. Files are stored under /images/icagenda/frontend/attachments/ with their original extension and no extension/MIME/content validation. On Joomla 6 the uploaded PHP file is executable, yielding unauthenticated RCE.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.

bundle/artifact_promotion_manifest.json15.7 KB
bundle/artifact_promotion_report.json15.4 KB
bundle/vuln_variant/source_identity.json1.3 KB
bundle/vuln_variant/root_cause_equivalence.json1.4 KB
bundle/repro/runtime_manifest.json1.1 KB
bundle/logs/reproduction_steps.log6.9 KB
bundle/repro/fetch_vulnerable_18097.log0.1 KB
bundle/repro/reproduction_steps.sh17.9 KB
bundle/repro/fetch_vulnerable_rce.log0.3 KB
bundle/repro/fetch_fixed_rce.log4.5 KB
bundle/repro/validation_verdict.json0.8 KB
bundle/repro/rca_report.md8.6 KB
bundle/logs/vulnerable_source.log0.4 KB
bundle/logs/fixed_source.log0.6 KB
bundle/logs/vulnerable_container.log4.3 KB
bundle/logs/fixed_container.log2.4 KB
bundle/repro/form_page_vulnerable.html52.5 KB
bundle/repro/form_page_fixed.html52.5 KB
bundle/repro/upload_vulnerable.log10.4 KB
bundle/repro/upload_fixed.log4.4 KB
bundle/vuln_variant/reproduction_steps.sh17.1 KB
bundle/logs/vuln_variant/reproduction_steps.log9.6 KB
bundle/vuln_variant/rca_report.md11.2 KB
bundle/vuln_variant/patch_analysis.md7.7 KB
bundle/vuln_variant/variant_manifest.json3.6 KB
bundle/vuln_variant/validation_verdict.json2.2 KB
bundle/vuln_variant/runtime_manifest.json1.5 KB
bundle/logs/vuln_variant/vulnerable_source.log0.6 KB
bundle/logs/vuln_variant/fixed_source.log0.8 KB
bundle/logs/vuln_variant/vulnerable_version.txt0.6 KB
bundle/logs/vuln_variant/fixed_version.txt0.8 KB
bundle/vuln_variant/form_page_vulnerable.html52.5 KB
bundle/vuln_variant/form_page_fixed.html52.5 KB
bundle/vuln_variant/upload_image_vulnerable.log10.5 KB
bundle/vuln_variant/upload_image_fixed.log10.5 KB
bundle/vuln_variant/fetch_image_vulnerable_php.log4.5 KB
bundle/vuln_variant/fetch_image_vulnerable_gif.log0.4 KB
bundle/vuln_variant/fetch_image_fixed_php.log4.5 KB
bundle/vuln_variant/fetch_image_fixed_gif.log0.4 KB
bundle/vuln_variant/submitted_images_vulnerable.txt0.1 KB
bundle/vuln_variant/submitted_images_fixed.txt0.1 KB
bundle/coding/proposed_fix.diff1.7 KB
bundle/coding/verify_fix.sh13.5 KB
bundle/coding/summary_report.md4.4 KB
bundle/logs/verify_fix.log3.1 KB