CVE-2026-60102: Horde VFS < 3.0.1 OS command injection via Horde_Vfs_Smb driver
CVE-2026-60102 is verified against horde/vfs · github affected versions: < 3.0.1 fixed version: 3.0.1 vulnerability class: Command Injection This high reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00288.
pruva-verify REPRO-2026-00288 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00288/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh Horde Virtual File System (VFS) API before 3.0.1 contains an OS command injection vulnerability in the Horde_Vfs_Smb driver. Authenticated users can supply crafted filenames through normal VFS operations such as upload, create folder, rename, delete, or read paths. Those names are interpolated into a shell command that reaches proc_open() and /bin/sh -c before smbclient runs. The vulnerable code path is in lib/Horde/Vfs/Smb.php and the issue is fixed in 3.0.1 by eliminating shell-string execution and hardening SMB argument quoting.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.