Skip to content
Verified reproduction

CVE-2026-60102: Horde VFS < 3.0.1 OS command injection via Horde_Vfs_Smb driver

CVE-2026-60102 is verified against horde/vfs · github affected versions: < 3.0.1 fixed version: 3.0.1 vulnerability class: Command Injection This high reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00288.

REPRO-2026-00288 horde/vfs · github Command Injection Variant found Jul 14, 2026 CVE entry .txt
Severity HIGH
Confidence HIGH
Reproduced in 12m 50s
Tool calls 135
Spend $1.30
Affected < 3.0.1
Fixed in 3.0.1
$ pruva-verify REPRO-2026-00288
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00288/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

Horde Virtual File System (VFS) API before 3.0.1 contains an OS command injection vulnerability in the Horde_Vfs_Smb driver. Authenticated users can supply crafted filenames through normal VFS operations such as upload, create folder, rename, delete, or read paths. Those names are interpolated into a shell command that reaches proc_open() and /bin/sh -c before smbclient runs. The vulnerable code path is in lib/Horde/Vfs/Smb.php and the issue is fixed in 3.0.1 by eliminating shell-string execution and hardening SMB argument quoting.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.

bundle/artifact_promotion_manifest.json13.2 KB
bundle/artifact_promotion_report.json13.2 KB
bundle/vuln_variant/source_identity.json0.7 KB
bundle/vuln_variant/root_cause_equivalence.json2.2 KB
bundle/repro/reproduction_steps.sh6.7 KB
bundle/logs/reproduction_steps.log0.8 KB
bundle/logs/vulnerable.log0.3 KB
bundle/logs/fixed.log0.2 KB
bundle/repro/rca_report.md6.2 KB
bundle/repro/validation_verdict.json0.7 KB
bundle/repro/runtime_manifest.json0.8 KB
bundle/logs/vulnerable_smbclient.log0.1 KB
bundle/logs/fixed_smbclient.log0.2 KB
bundle/repro/artifacts/fake_smbclient.sh0.2 KB
bundle/repro/artifacts/harness.php1.1 KB
bundle/vuln_variant/reproduction_steps.sh6.4 KB
bundle/logs/vuln_variant/variant_run.log5.9 KB
bundle/vuln_variant/validation_verdict.json1.0 KB
bundle/vuln_variant/variant_manifest.json2.7 KB
bundle/vuln_variant/patch_analysis.md5.9 KB
bundle/vuln_variant/rca_report.md7.6 KB
bundle/vuln_variant/runtime_manifest.json1.6 KB
bundle/logs/vuln_variant/createFolder_vulnerable.log0.3 KB
bundle/logs/vuln_variant/createFolder_fixed.log0.3 KB
bundle/logs/vuln_variant/deleteFile_vulnerable.log0.3 KB
bundle/logs/vuln_variant/deleteFile_fixed.log0.3 KB
bundle/logs/vuln_variant/writeData_vulnerable.log0.3 KB
bundle/logs/vuln_variant/writeData_fixed.log0.3 KB
bundle/logs/vuln_variant/rename_vulnerable.log0.3 KB
bundle/logs/vuln_variant/rename_fixed.log0.3 KB
bundle/logs/vuln_variant/readFile_vulnerable.log0.3 KB
bundle/logs/vuln_variant/readFile_fixed.log0.3 KB
bundle/logs/vuln_variant/deleteFolder_vulnerable.log0.3 KB
bundle/logs/vuln_variant/deleteFolder_fixed.log0.3 KB
bundle/logs/vuln_variant/isFolder_vulnerable.log0.3 KB
bundle/logs/vuln_variant/isFolder_fixed.log0.3 KB
bundle/logs/vuln_variant/listFolderPath_vulnerable.log0.3 KB
bundle/logs/vuln_variant/listFolderPath_fixed.log0.3 KB
bundle/vuln_variant/artifacts/fake_smbclient.sh0.2 KB
bundle/vuln_variant/artifacts/harness.php1.6 KB