{
  "created_at": "2026-07-06T15:15:00Z",
  "parent_root_cause": "The public jform[file] attachment path in iCagenda 4.0.7 preserved executable extensions and wrote attacker-controlled PHP under a web-accessible directory.",
  "candidate_root_cause": "The public jform[image] path writes attacker-controlled upload content under a web-accessible images directory, but rewrites a .php GIF polyglot to .gif and does not execute PHP in the tested runtime.",
  "same_sink": true,
  "same_sink_detail": "Both paths eventually use Joomla\\Filesystem\\File::upload into a Joomla images subtree.",
  "same_trust_boundary": true,
  "same_trust_boundary_detail": "Both are reachable through the unauthenticated public event submission form when public submission and upload fields are enabled.",
  "same_dangerous_property_reached": false,
  "dangerous_property": "Preservation of a web-executable PHP extension under an executable web root.",
  "equivalence_confidence": "low",
  "negative_reason": "The image path did not preserve .php; it stored .gif and Apache served it as static image/gif. Therefore the parent RCE root cause was not reached through this alternate field.",
  "evidence": [
    "bundle/vuln_variant/submitted_images_vulnerable.txt",
    "bundle/vuln_variant/submitted_images_fixed.txt",
    "bundle/vuln_variant/fetch_image_vulnerable_gif.log",
    "bundle/vuln_variant/fetch_image_fixed_gif.log",
    "bundle/logs/vuln_variant/reproduction_steps.log"
  ]
}
