{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "Variant: NON-ADMIN authenticated user creates a path-traversal organisation via POST /api/v1/user/orgs (org.CreateMyOrg, api.CreateOrgOption with no AlphaDashDot) -> nested bare repo written outside repository ROOT inside another repo local worktree -> executable post-update hook planted via Git smart-HTTP + web upload sync -> git-receive-pack on planted bare repo executes hook as Gogs user (RCE). Fixed 0.14.3 rejects inline (422) + pathutil.Clean.",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "gogs",
    "sqlite3",
    "git-smart-http",
    "web-upload",
    "git-receive-pack",
    "git-hooks"
  ],
  "proof_artifacts": [
    "logs/vuln_variant_steps.log",
    "logs/vv_gogs_vuln.log",
    "logs/vv_http_vuln.log",
    "logs/vv_git_vuln.log",
    "logs/vv_state_vuln.log",
    "vuln_variant/rce_marker_vuln.txt",
    "logs/vv_gogs_fixed.log",
    "logs/vv_http_fixed.log",
    "logs/vv_git_fixed.log",
    "logs/vv_state_fixed.log"
  ],
  "notes": "alternate trigger (non-admin) on vulnerable; fixed blocks it (not a bypass)"
}