[2026-07-02T17:46:35Z] Step 1: Creating variant VSIX (HTML smuggled as icon)... Created vpub.vext-1.0.0.vsix (2031 bytes) [2026-07-02T17:46:35Z] Variant VSIX created at /data/pruva/runs/ca30852c-9595-4b4b-b0b6-592b9e72d11a/bundle/vuln_variant/vpub.vext-1.0.0.vsix [2026-07-02T17:46:35Z] Step 2: Creating application.yml... [2026-07-02T17:46:35Z] Application config created [2026-07-02T17:46:35Z] Step 3: Starting PostgreSQL on port 5436... 7789e8d1dc77b82337af9006952b569489582f05c064990681b49bdbe48a4405 [2026-07-02T17:46:41Z] PostgreSQL started [2026-07-02T17:46:41Z] Step 6: Running variant tests against vulnerable and fixed versions... [2026-07-02T17:46:41Z] ===== Testing vuln_v1.0.1 ===== DROP SCHEMA CREATE SCHEMA GRANT GRANT 5554902a14910c058b278cdbb5078e5ca279b62513b8d4f3ec545e43a04cdc8f [2026-07-02T17:46:47Z] Waiting for vuln_v1.0.1 server to start... [2026-07-02T17:47:09Z] Server vuln_v1.0.1 is healthy INSERT 0 1 INSERT 0 1 [2026-07-02T17:47:09Z] Namespace creation: {"success":"Created namespace vpub"} [2026-07-02T17:47:11Z] Publish result: {"success":"It can take a couple minutes before the extension version is available","namespaceUrl":"http://localhost:8080/api/vpub","reviewsUrl":"http://localhost:8080/api/vpub/vext/reviews","files":{"download":"http://localhost:8080/api/vpub/vext/1.0.0/file/vpub.vext-1.0.0.vsix","icon":"http://localhost:8080/api/vpub/vext/1.0.0/file/payload.html","manifest":"http://localhost:8080/api/vpub/vext/1.0.0/file/package.json","sha256":"http://localhost:8080/api/vpub/vext/1.0.0/file/vpub.vext-1.0.0.sha256","vsixmanifest":"http://localhost:8080/api/vpub/vext/1.0.0/file/extension.vsixmanifest"},"name":"vext","namespace":"vpub","targetPlatform":"universal","version":"1.0.0","preRelease":false,"publishedBy":{"loginName":"variant_user","fullName":"Variant User"},"verified":false,"unrelatedPublisher":true,"namespaceAccess":"restricted","allVersions":{},"allVersionsUrl":"http://localhost:8080/api/vpub/vext/versions","downloadCount":0,"reviewCount":0,"versionAlias":[],"timestamp":"2026-07-02T17:47:09.935971486Z","preview":false,"displayName":"Variant Test Extension","namespaceDisplayName":"vpub","description":"Variant test for CVE-2026-13323","engines":{"vscode":"^1.51.1"},"categories":["Other"],"extensionKind":["workspace"],"tags":["__ext_vext"],"homepage":"","repository":"","sponsorLink":"","bugs":"","galleryColor":"","galleryTheme":"","localizedLanguages":[],"dependencies":[],"bundledExtensions":[],"deprecated":false,"downloadable":true} [2026-07-02T17:47:14Z] VARIANT request: http://localhost:8080/api/vpub/vext/1.0.0/file/payload.html [2026-07-02T17:47:14Z] --- vuln_v1.0.1 VARIANT headers --- HTTP/1.1 200 OK Date: Thu, 02 Jul 2026 17:47:14 GMT Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Content-Type: text/html Cache-Control: max-age=2592000, public X-Content-Type-Options: nosniff X-XSS-Protection: 0 X-Frame-Options: DENY Transfer-Encoding: chunked [2026-07-02T17:47:14Z] CONTROL request: http://localhost:8080/vscode/unpkg/vpub/vext/1.0.0/extension/payload.html [2026-07-02T17:47:14Z] --- vuln_v1.0.1 CONTROL headers --- HTTP/1.1 200 OK Date: Thu, 02 Jul 2026 17:47:14 GMT Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Content-Type: text/html Cache-Control: max-age=2592000, public X-Content-Type-Options: nosniff X-XSS-Protection: 0 X-Frame-Options: DENY Transfer-Encoding: chunked [2026-07-02T17:47:14Z] METADATA request: http://localhost:8080/api/vpub/vext/1.0.0 [2026-07-02T17:47:14Z] vuln_v1.0.1 metadata files.icon = http://localhost:8080/api/vpub/vext/1.0.0/file/payload.html [2026-07-02T17:47:16Z] ===== Testing fixed_v1.0.2 ===== NOTICE: drop cascades to 55 other objects DETAIL: drop cascades to table flyway_schema_history drop cascades to table extension drop cascades to table extension_review drop cascades to table extension_version drop cascades to sequence hibernate_sequence drop cascades to table namespace drop cascades to table namespace_membership drop cascades to table personal_access_token drop cascades to table spring_session drop cascades to table spring_session_attributes drop cascades to table user_data drop cascades to table persisted_log drop cascades to table file_resource drop cascades to table admin_statistics drop cascades to table admin_statistics_publishers_by_extensions_published drop cascades to table admin_statistics_extensions_by_rating drop cascades to table admin_statistics_top_most_active_publishing_users drop cascades to table admin_statistics_top_namespace_extensions drop cascades to table admin_statistics_top_namespace_extension_versions drop cascades to table admin_statistics_top_most_downloaded_extensions drop cascades to table migration_item drop cascades to table namespace_social_links drop cascades to table signature_key_pair drop cascades to table download_count_processed_item drop cascades to extension fuzzystrmatch drop cascades to sequence extension_scan_seq drop cascades to sequence extension_validation_failure_seq drop cascades to sequence extension_threat_seq drop cascades to sequence admin_scan_decision_seq drop cascades to sequence file_decision_seq drop cascades to table extension_scan drop cascades to table extension_validation_failure drop cascades to table extension_threat drop cascades to table admin_scan_decision drop cascades to table file_decision drop cascades to table scan_job drop cascades to sequence scan_check_result_seq drop cascades to table scan_check_result drop cascades to table tier drop cascades to table customer drop cascades to table usage_stats drop cascades to sequence customer_membership_seq drop cascades to table customer_membership drop cascades to sequence rate_limit_token_seq drop cascades to table rate_limit_token drop cascades to sequence daily_usage_stats_seq drop cascades to table daily_usage_stats drop cascades to sequence setting_seq drop cascades to table setting drop cascades to table jobrunr_migrations drop cascades to table jobrunr_jobs drop cascades to table jobrunr_recurring_jobs drop cascades to table jobrunr_backgroundjobservers drop cascades to table jobrunr_metadata drop cascades to view jobrunr_jobs_stats DROP SCHEMA CREATE SCHEMA GRANT GRANT 9506131695f0bdddb1d1735028872a46fa50edbb008bb8a1365bbf174eccaf1b [2026-07-02T17:47:22Z] Waiting for fixed_v1.0.2 server to start... [2026-07-02T17:47:44Z] Server fixed_v1.0.2 is healthy INSERT 0 1 INSERT 0 1 [2026-07-02T17:47:45Z] Namespace creation: {"success":"Created namespace vpub"} [2026-07-02T17:47:45Z] Publish result: {"success":"It can take a couple minutes before the extension version is available","namespaceUrl":"http://localhost:8080/api/vpub","reviewsUrl":"http://localhost:8080/api/vpub/vext/reviews","files":{"download":"http://localhost:8080/api/vpub/vext/1.0.0/file/vpub.vext-1.0.0.vsix","icon":"http://localhost:8080/api/vpub/vext/1.0.0/file/payload.html","manifest":"http://localhost:8080/api/vpub/vext/1.0.0/file/package.json","sha256":"http://localhost:8080/api/vpub/vext/1.0.0/file/vpub.vext-1.0.0.sha256","vsixmanifest":"http://localhost:8080/api/vpub/vext/1.0.0/file/extension.vsixmanifest"},"name":"vext","namespace":"vpub","targetPlatform":"universal","version":"1.0.0","preRelease":false,"publishedBy":{"loginName":"variant_user","fullName":"Variant User"},"verified":false,"unrelatedPublisher":true,"namespaceAccess":"restricted","allVersions":{},"allVersionsUrl":"http://localhost:8080/api/vpub/vext/versions","downloadCount":0,"reviewCount":0,"versionAlias":[],"timestamp":"2026-07-02T17:47:45.119971603Z","preview":false,"displayName":"Variant Test Extension","namespaceDisplayName":"vpub","description":"Variant test for CVE-2026-13323","engines":{"vscode":"^1.51.1"},"categories":["Other"],"extensionKind":["workspace"],"tags":["__ext_vext"],"homepage":"","repository":"","sponsorLink":"","bugs":"","galleryColor":"","galleryTheme":"","localizedLanguages":[],"dependencies":[],"bundledExtensions":[],"deprecated":false,"downloadable":true} [2026-07-02T17:47:48Z] VARIANT request: http://localhost:8080/api/vpub/vext/1.0.0/file/payload.html [2026-07-02T17:47:48Z] --- fixed_v1.0.2 VARIANT headers --- HTTP/1.1 200 OK Date: Thu, 02 Jul 2026 17:47:48 GMT Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Content-Type: text/plain;charset=utf-8 X-Content-Type-Options: nosniff X-Frame-Options: DENY Cache-Control: max-age=86400, must-revalidate, public Content-Security-Policy: default-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'; sandbox X-XSS-Protection: 0 Transfer-Encoding: chunked [2026-07-02T17:47:48Z] CONTROL request: http://localhost:8080/vscode/unpkg/vpub/vext/1.0.0/extension/payload.html [2026-07-02T17:47:49Z] --- fixed_v1.0.2 CONTROL headers --- HTTP/1.1 200 OK Date: Thu, 02 Jul 2026 17:47:49 GMT Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Content-Type: text/plain;charset=utf-8 X-Content-Type-Options: nosniff X-Frame-Options: DENY Cache-Control: max-age=86400, must-revalidate, public Content-Security-Policy: default-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'; sandbox X-XSS-Protection: 0 Transfer-Encoding: chunked [2026-07-02T17:47:49Z] METADATA request: http://localhost:8080/api/vpub/vext/1.0.0 [2026-07-02T17:47:49Z] fixed_v1.0.2 metadata files.icon = http://localhost:8080/api/vpub/vext/1.0.0/file/payload.html [2026-07-02T17:47:51Z] Step 7: Computing variant verdict... [2026-07-02T17:47:51Z] VULN variant (/api/.../file/payload.html): CT=text/html|CSP=0|CD=0|INLINE_HTML=1 [2026-07-02T17:47:51Z] FIXED variant (/api/.../file/payload.html): CT=text/plain;charset=utf-8|CSP=1|CD=0|INLINE_HTML=0 [2026-07-02T17:47:51Z] VULN control (/vscode/unpkg/.../payload.html): CT=text/html|CSP=0|CD=0|INLINE_HTML=1 [2026-07-02T17:47:51Z] FIXED control (/vscode/unpkg/.../payload.html): CT=text/plain;charset=utf-8|CSP=1|CD=0|INLINE_HTML=0 [2026-07-02T17:47:51Z] Variant reproduced on VULNERABLE (v1.0.1): true [2026-07-02T17:47:51Z] Variant reproduced on FIXED (v1.0.2) -> BYPASS: false CVE-2026-13323 VARIANT verdict ================================ Variant: HTML smuggled as extension ICON, served via /api/{ns}/{ext}/{ver}/file/payload.html (alternate entry point vs. repro /vscode/unpkg/.../extension/payload.html) VULNERABLE (v1.0.1) variant headers: CT=text/html|CSP=0|CD=0|INLINE_HTML=1 FIXED (v1.0.2) variant headers: CT=text/plain;charset=utf-8|CSP=1|CD=0|INLINE_HTML=0 VULNERABLE (v1.0.1) control headers: CT=text/html|CSP=0|CD=0|INLINE_HTML=1 FIXED (v1.0.2) control headers: CT=text/plain;charset=utf-8|CSP=1|CD=0|INLINE_HTML=0 Variant reproduced on VULNERABLE: true Variant BYPASS on FIXED: false Outcome: alternate_trigger_on_vulnerable_only (fix covers the variant -> NOT a bypass) [2026-07-02T17:47:51Z] Cleaning up Docker containers... [2026-07-02T17:48:06Z] Step 1: Creating variant VSIX (HTML smuggled as icon)... Created vpub.vext-1.0.0.vsix (2031 bytes) [2026-07-02T17:48:06Z] Variant VSIX created at /data/pruva/runs/ca30852c-9595-4b4b-b0b6-592b9e72d11a/bundle/vuln_variant/vpub.vext-1.0.0.vsix [2026-07-02T17:48:06Z] Step 2: Creating application.yml... [2026-07-02T17:48:06Z] Application config created [2026-07-02T17:48:06Z] Step 3: Starting PostgreSQL on port 5436... c567cfdbbce6ea43585c77d02ffbc5da0bba1125e6d71df6908ca09fafebb624 [2026-07-02T17:48:11Z] PostgreSQL started [2026-07-02T17:48:11Z] Step 6: Running variant tests against vulnerable and fixed versions... [2026-07-02T17:48:11Z] ===== Testing vuln_v1.0.1 ===== DROP SCHEMA CREATE SCHEMA GRANT GRANT f0fd10fe1934b4aceacb35d34436c41369c7c26adb9552aeabc9716d230b774b [2026-07-02T17:48:17Z] Waiting for vuln_v1.0.1 server to start... [2026-07-02T17:48:39Z] Server vuln_v1.0.1 is healthy INSERT 0 1 INSERT 0 1 [2026-07-02T17:48:40Z] Namespace creation: {"success":"Created namespace vpub"} [2026-07-02T17:48:40Z] Publish result: {"success":"It can take a couple minutes before the extension version is available","namespaceUrl":"http://localhost:8080/api/vpub","reviewsUrl":"http://localhost:8080/api/vpub/vext/reviews","files":{"download":"http://localhost:8080/api/vpub/vext/1.0.0/file/vpub.vext-1.0.0.vsix","icon":"http://localhost:8080/api/vpub/vext/1.0.0/file/payload.html","manifest":"http://localhost:8080/api/vpub/vext/1.0.0/file/package.json","sha256":"http://localhost:8080/api/vpub/vext/1.0.0/file/vpub.vext-1.0.0.sha256","vsixmanifest":"http://localhost:8080/api/vpub/vext/1.0.0/file/extension.vsixmanifest"},"name":"vext","namespace":"vpub","targetPlatform":"universal","version":"1.0.0","preRelease":false,"publishedBy":{"loginName":"variant_user","fullName":"Variant User"},"verified":false,"unrelatedPublisher":true,"namespaceAccess":"restricted","allVersions":{},"allVersionsUrl":"http://localhost:8080/api/vpub/vext/versions","downloadCount":0,"reviewCount":0,"versionAlias":[],"timestamp":"2026-07-02T17:48:40.206979930Z","preview":false,"displayName":"Variant Test Extension","namespaceDisplayName":"vpub","description":"Variant test for CVE-2026-13323","engines":{"vscode":"^1.51.1"},"categories":["Other"],"extensionKind":["workspace"],"tags":["__ext_vext"],"homepage":"","repository":"","sponsorLink":"","bugs":"","galleryColor":"","galleryTheme":"","localizedLanguages":[],"dependencies":[],"bundledExtensions":[],"deprecated":false,"downloadable":true} [2026-07-02T17:48:43Z] VARIANT request: http://localhost:8080/api/vpub/vext/1.0.0/file/payload.html [2026-07-02T17:48:44Z] --- vuln_v1.0.1 VARIANT headers --- HTTP/1.1 200 OK Date: Thu, 02 Jul 2026 17:48:43 GMT Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Content-Type: text/html Cache-Control: max-age=2592000, public X-Content-Type-Options: nosniff X-XSS-Protection: 0 X-Frame-Options: DENY Transfer-Encoding: chunked [2026-07-02T17:48:44Z] CONTROL request: http://localhost:8080/vscode/unpkg/vpub/vext/1.0.0/extension/payload.html [2026-07-02T17:48:44Z] --- vuln_v1.0.1 CONTROL headers --- HTTP/1.1 200 OK Date: Thu, 02 Jul 2026 17:48:44 GMT Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Content-Type: text/html Cache-Control: max-age=2592000, public X-Content-Type-Options: nosniff X-XSS-Protection: 0 X-Frame-Options: DENY Transfer-Encoding: chunked [2026-07-02T17:48:44Z] METADATA request: http://localhost:8080/api/vpub/vext/1.0.0 [2026-07-02T17:48:44Z] vuln_v1.0.1 metadata files.icon = http://localhost:8080/api/vpub/vext/1.0.0/file/payload.html [2026-07-02T17:48:46Z] ===== Testing fixed_v1.0.2 ===== NOTICE: drop cascades to 55 other objects DETAIL: drop cascades to table flyway_schema_history drop cascades to table extension drop cascades to table extension_review drop cascades to table extension_version drop cascades to sequence hibernate_sequence drop cascades to table namespace drop cascades to table namespace_membership drop cascades to table personal_access_token drop cascades to table spring_session drop cascades to table spring_session_attributes drop cascades to table user_data drop cascades to table persisted_log drop cascades to table file_resource drop cascades to table admin_statistics drop cascades to table admin_statistics_publishers_by_extensions_published drop cascades to table admin_statistics_extensions_by_rating drop cascades to table admin_statistics_top_most_active_publishing_users drop cascades to table admin_statistics_top_namespace_extensions drop cascades to table admin_statistics_top_namespace_extension_versions drop cascades to table admin_statistics_top_most_downloaded_extensions drop cascades to table migration_item drop cascades to table namespace_social_links drop cascades to table signature_key_pair drop cascades to table download_count_processed_item drop cascades to extension fuzzystrmatch drop cascades to sequence extension_scan_seq drop cascades to sequence extension_validation_failure_seq drop cascades to sequence extension_threat_seq drop cascades to sequence admin_scan_decision_seq drop cascades to sequence file_decision_seq drop cascades to table extension_scan drop cascades to table extension_validation_failure drop cascades to table extension_threat drop cascades to table admin_scan_decision drop cascades to table file_decision drop cascades to table scan_job drop cascades to sequence scan_check_result_seq drop cascades to table scan_check_result drop cascades to table tier drop cascades to table customer drop cascades to table usage_stats drop cascades to sequence customer_membership_seq drop cascades to table customer_membership drop cascades to sequence rate_limit_token_seq drop cascades to table rate_limit_token drop cascades to sequence daily_usage_stats_seq drop cascades to table daily_usage_stats drop cascades to sequence setting_seq drop cascades to table setting drop cascades to table jobrunr_migrations drop cascades to table jobrunr_jobs drop cascades to table jobrunr_recurring_jobs drop cascades to table jobrunr_backgroundjobservers drop cascades to table jobrunr_metadata drop cascades to view jobrunr_jobs_stats DROP SCHEMA CREATE SCHEMA GRANT GRANT 64d72006d44f746dd241549d674be0a5cfb0b59cb0753765fdbccd7587f4d88d [2026-07-02T17:48:52Z] Waiting for fixed_v1.0.2 server to start... [2026-07-02T17:49:14Z] Server fixed_v1.0.2 is healthy INSERT 0 1 INSERT 0 1 [2026-07-02T17:49:14Z] Namespace creation: {"success":"Created namespace vpub"} [2026-07-02T17:49:15Z] Publish result: {"success":"It can take a couple minutes before the extension version is available","namespaceUrl":"http://localhost:8080/api/vpub","reviewsUrl":"http://localhost:8080/api/vpub/vext/reviews","files":{"download":"http://localhost:8080/api/vpub/vext/1.0.0/file/vpub.vext-1.0.0.vsix","icon":"http://localhost:8080/api/vpub/vext/1.0.0/file/payload.html","manifest":"http://localhost:8080/api/vpub/vext/1.0.0/file/package.json","sha256":"http://localhost:8080/api/vpub/vext/1.0.0/file/vpub.vext-1.0.0.sha256","vsixmanifest":"http://localhost:8080/api/vpub/vext/1.0.0/file/extension.vsixmanifest"},"name":"vext","namespace":"vpub","targetPlatform":"universal","version":"1.0.0","preRelease":false,"publishedBy":{"loginName":"variant_user","fullName":"Variant User"},"verified":false,"unrelatedPublisher":true,"namespaceAccess":"restricted","allVersions":{},"allVersionsUrl":"http://localhost:8080/api/vpub/vext/versions","downloadCount":0,"reviewCount":0,"versionAlias":[],"timestamp":"2026-07-02T17:49:14.696156305Z","preview":false,"displayName":"Variant Test Extension","namespaceDisplayName":"vpub","description":"Variant test for CVE-2026-13323","engines":{"vscode":"^1.51.1"},"categories":["Other"],"extensionKind":["workspace"],"tags":["__ext_vext"],"homepage":"","repository":"","sponsorLink":"","bugs":"","galleryColor":"","galleryTheme":"","localizedLanguages":[],"dependencies":[],"bundledExtensions":[],"deprecated":false,"downloadable":true} [2026-07-02T17:49:18Z] VARIANT request: http://localhost:8080/api/vpub/vext/1.0.0/file/payload.html [2026-07-02T17:49:18Z] --- fixed_v1.0.2 VARIANT headers --- HTTP/1.1 200 OK Date: Thu, 02 Jul 2026 17:49:18 GMT Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Content-Type: text/plain;charset=utf-8 X-Content-Type-Options: nosniff X-Frame-Options: DENY Cache-Control: max-age=86400, must-revalidate, public Content-Security-Policy: default-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'; sandbox X-XSS-Protection: 0 Transfer-Encoding: chunked [2026-07-02T17:49:18Z] CONTROL request: http://localhost:8080/vscode/unpkg/vpub/vext/1.0.0/extension/payload.html [2026-07-02T17:49:18Z] --- fixed_v1.0.2 CONTROL headers --- HTTP/1.1 200 OK Date: Thu, 02 Jul 2026 17:49:18 GMT Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Content-Type: text/plain;charset=utf-8 X-Content-Type-Options: nosniff X-Frame-Options: DENY Cache-Control: max-age=86400, must-revalidate, public Content-Security-Policy: default-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'; sandbox X-XSS-Protection: 0 Transfer-Encoding: chunked [2026-07-02T17:49:18Z] METADATA request: http://localhost:8080/api/vpub/vext/1.0.0 [2026-07-02T17:49:18Z] fixed_v1.0.2 metadata files.icon = http://localhost:8080/api/vpub/vext/1.0.0/file/payload.html [2026-07-02T17:49:21Z] Step 7: Computing variant verdict... [2026-07-02T17:49:21Z] VULN variant (/api/.../file/payload.html): CT=text/html|CSP=0|CD=0|INLINE_HTML=1 [2026-07-02T17:49:21Z] FIXED variant (/api/.../file/payload.html): CT=text/plain;charset=utf-8|CSP=1|CD=0|INLINE_HTML=0 [2026-07-02T17:49:21Z] VULN control (/vscode/unpkg/.../payload.html): CT=text/html|CSP=0|CD=0|INLINE_HTML=1 [2026-07-02T17:49:21Z] FIXED control (/vscode/unpkg/.../payload.html): CT=text/plain;charset=utf-8|CSP=1|CD=0|INLINE_HTML=0 [2026-07-02T17:49:21Z] Variant reproduced on VULNERABLE (v1.0.1): true [2026-07-02T17:49:21Z] Variant reproduced on FIXED (v1.0.2) -> BYPASS: false CVE-2026-13323 VARIANT verdict ================================ Variant: HTML smuggled as extension ICON, served via /api/{ns}/{ext}/{ver}/file/payload.html (alternate entry point vs. repro /vscode/unpkg/.../extension/payload.html) VULNERABLE (v1.0.1) variant headers: CT=text/html|CSP=0|CD=0|INLINE_HTML=1 FIXED (v1.0.2) variant headers: CT=text/plain;charset=utf-8|CSP=1|CD=0|INLINE_HTML=0 VULNERABLE (v1.0.1) control headers: CT=text/html|CSP=0|CD=0|INLINE_HTML=1 FIXED (v1.0.2) control headers: CT=text/plain;charset=utf-8|CSP=1|CD=0|INLINE_HTML=0 Variant reproduced on VULNERABLE: true Variant BYPASS on FIXED: false Outcome: alternate_trigger_on_vulnerable_only (fix covers the variant -> NOT a bypass) [2026-07-02T17:49:21Z] Cleaning up Docker containers... [2026-07-02T17:49:55Z] Step 1: Creating variant VSIX (HTML smuggled as icon)... Created vpub.vext-1.0.0.vsix (2031 bytes) [2026-07-02T17:49:55Z] Variant VSIX created at /data/pruva/runs/ca30852c-9595-4b4b-b0b6-592b9e72d11a/bundle/vuln_variant/vpub.vext-1.0.0.vsix [2026-07-02T17:49:55Z] Step 2: Creating application.yml... [2026-07-02T17:49:55Z] Application config created [2026-07-02T17:49:55Z] Step 3: Starting PostgreSQL on port 5436... 45502351f30ce70ec697a81ac8baace27aa831fd65f638b59ec85971c63c3b43 [2026-07-02T17:50:00Z] PostgreSQL started [2026-07-02T17:50:00Z] Step 6: Running variant tests against vulnerable and fixed versions... [2026-07-02T17:50:00Z] ===== Testing vuln_v1.0.1 ===== DROP SCHEMA CREATE SCHEMA GRANT GRANT ae55f6151b0994e61e4d0e2abf935f5c42aa2f3548f2b250e2803c93aa3cec17 [2026-07-02T17:50:06Z] Waiting for vuln_v1.0.1 server to start... [2026-07-02T17:50:25Z] Server vuln_v1.0.1 is healthy INSERT 0 1 INSERT 0 1 [2026-07-02T17:50:25Z] Namespace creation: {"success":"Created namespace vpub"} [2026-07-02T17:50:26Z] Publish result: {"success":"It can take a couple minutes before the extension version is available","namespaceUrl":"http://localhost:8080/api/vpub","reviewsUrl":"http://localhost:8080/api/vpub/vext/reviews","files":{"download":"http://localhost:8080/api/vpub/vext/1.0.0/file/vpub.vext-1.0.0.vsix","icon":"http://localhost:8080/api/vpub/vext/1.0.0/file/payload.html","manifest":"http://localhost:8080/api/vpub/vext/1.0.0/file/package.json","sha256":"http://localhost:8080/api/vpub/vext/1.0.0/file/vpub.vext-1.0.0.sha256","vsixmanifest":"http://localhost:8080/api/vpub/vext/1.0.0/file/extension.vsixmanifest"},"name":"vext","namespace":"vpub","targetPlatform":"universal","version":"1.0.0","preRelease":false,"publishedBy":{"loginName":"variant_user","fullName":"Variant User"},"verified":false,"unrelatedPublisher":true,"namespaceAccess":"restricted","allVersions":{},"allVersionsUrl":"http://localhost:8080/api/vpub/vext/versions","downloadCount":0,"reviewCount":0,"versionAlias":[],"timestamp":"2026-07-02T17:50:25.632791519Z","preview":false,"displayName":"Variant Test Extension","namespaceDisplayName":"vpub","description":"Variant test for CVE-2026-13323","engines":{"vscode":"^1.51.1"},"categories":["Other"],"extensionKind":["workspace"],"tags":["__ext_vext"],"homepage":"","repository":"","sponsorLink":"","bugs":"","galleryColor":"","galleryTheme":"","localizedLanguages":[],"dependencies":[],"bundledExtensions":[],"deprecated":false,"downloadable":true} [2026-07-02T17:50:29Z] VARIANT request: http://localhost:8080/api/vpub/vext/1.0.0/file/payload.html [2026-07-02T17:50:29Z] --- vuln_v1.0.1 VARIANT headers --- HTTP/1.1 200 OK Date: Thu, 02 Jul 2026 17:50:29 GMT Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Content-Type: text/html Cache-Control: max-age=2592000, public X-Content-Type-Options: nosniff X-XSS-Protection: 0 X-Frame-Options: DENY Transfer-Encoding: chunked [2026-07-02T17:50:29Z] CONTROL request: http://localhost:8080/vscode/unpkg/vpub/vext/1.0.0/extension/payload.html [2026-07-02T17:50:29Z] --- vuln_v1.0.1 CONTROL headers --- HTTP/1.1 200 OK Date: Thu, 02 Jul 2026 17:50:29 GMT Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Content-Type: text/html Cache-Control: max-age=2592000, public X-Content-Type-Options: nosniff X-XSS-Protection: 0 X-Frame-Options: DENY Transfer-Encoding: chunked [2026-07-02T17:50:29Z] METADATA request: http://localhost:8080/api/vpub/vext/1.0.0 [2026-07-02T17:50:29Z] vuln_v1.0.1 metadata files.icon = http://localhost:8080/api/vpub/vext/1.0.0/file/payload.html [2026-07-02T17:50:32Z] ===== Testing fixed_v1.0.2 ===== NOTICE: drop cascades to 55 other objects DETAIL: drop cascades to table flyway_schema_history drop cascades to table extension drop cascades to table extension_review drop cascades to table extension_version drop cascades to sequence hibernate_sequence drop cascades to table namespace drop cascades to table namespace_membership drop cascades to table personal_access_token drop cascades to table spring_session drop cascades to table spring_session_attributes drop cascades to table user_data drop cascades to table persisted_log drop cascades to table file_resource drop cascades to table admin_statistics drop cascades to table admin_statistics_publishers_by_extensions_published drop cascades to table admin_statistics_extensions_by_rating drop cascades to table admin_statistics_top_most_active_publishing_users drop cascades to table admin_statistics_top_namespace_extensions drop cascades to table admin_statistics_top_namespace_extension_versions drop cascades to table admin_statistics_top_most_downloaded_extensions drop cascades to table migration_item drop cascades to table namespace_social_links drop cascades to table signature_key_pair drop cascades to table download_count_processed_item drop cascades to extension fuzzystrmatch drop cascades to sequence extension_scan_seq drop cascades to sequence extension_validation_failure_seq drop cascades to sequence extension_threat_seq drop cascades to sequence admin_scan_decision_seq drop cascades to sequence file_decision_seq drop cascades to table extension_scan drop cascades to table extension_validation_failure drop cascades to table extension_threat drop cascades to table admin_scan_decision drop cascades to table file_decision drop cascades to table scan_job drop cascades to sequence scan_check_result_seq drop cascades to table scan_check_result drop cascades to table tier drop cascades to table customer drop cascades to table usage_stats drop cascades to sequence customer_membership_seq drop cascades to table customer_membership drop cascades to sequence rate_limit_token_seq drop cascades to table rate_limit_token drop cascades to sequence daily_usage_stats_seq drop cascades to table daily_usage_stats drop cascades to sequence setting_seq drop cascades to table setting drop cascades to table jobrunr_migrations drop cascades to table jobrunr_jobs drop cascades to table jobrunr_recurring_jobs drop cascades to table jobrunr_backgroundjobservers drop cascades to table jobrunr_metadata drop cascades to view jobrunr_jobs_stats DROP SCHEMA CREATE SCHEMA GRANT GRANT 28f26bb986375596b0c7434d6e97d824c8080c0b854762f1f7701ed4c9d10fed [2026-07-02T17:50:37Z] Waiting for fixed_v1.0.2 server to start... [2026-07-02T17:50:56Z] Server fixed_v1.0.2 is healthy INSERT 0 1 INSERT 0 1 [2026-07-02T17:50:57Z] Namespace creation: {"success":"Created namespace vpub"} [2026-07-02T17:50:57Z] Publish result: {"success":"It can take a couple minutes before the extension version is available","namespaceUrl":"http://localhost:8080/api/vpub","reviewsUrl":"http://localhost:8080/api/vpub/vext/reviews","files":{"download":"http://localhost:8080/api/vpub/vext/1.0.0/file/vpub.vext-1.0.0.vsix","icon":"http://localhost:8080/api/vpub/vext/1.0.0/file/payload.html","manifest":"http://localhost:8080/api/vpub/vext/1.0.0/file/package.json","sha256":"http://localhost:8080/api/vpub/vext/1.0.0/file/vpub.vext-1.0.0.sha256","vsixmanifest":"http://localhost:8080/api/vpub/vext/1.0.0/file/extension.vsixmanifest"},"name":"vext","namespace":"vpub","targetPlatform":"universal","version":"1.0.0","preRelease":false,"publishedBy":{"loginName":"variant_user","fullName":"Variant User"},"verified":false,"unrelatedPublisher":true,"namespaceAccess":"restricted","allVersions":{},"allVersionsUrl":"http://localhost:8080/api/vpub/vext/versions","downloadCount":0,"reviewCount":0,"versionAlias":[],"timestamp":"2026-07-02T17:50:57.062148528Z","preview":false,"displayName":"Variant Test Extension","namespaceDisplayName":"vpub","description":"Variant test for CVE-2026-13323","engines":{"vscode":"^1.51.1"},"categories":["Other"],"extensionKind":["workspace"],"tags":["__ext_vext"],"homepage":"","repository":"","sponsorLink":"","bugs":"","galleryColor":"","galleryTheme":"","localizedLanguages":[],"dependencies":[],"bundledExtensions":[],"deprecated":false,"downloadable":true} [2026-07-02T17:51:00Z] VARIANT request: http://localhost:8080/api/vpub/vext/1.0.0/file/payload.html [2026-07-02T17:51:00Z] --- fixed_v1.0.2 VARIANT headers --- HTTP/1.1 200 OK Date: Thu, 02 Jul 2026 17:51:00 GMT Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Content-Type: text/plain;charset=utf-8 X-Content-Type-Options: nosniff X-Frame-Options: DENY Cache-Control: max-age=86400, must-revalidate, public Content-Security-Policy: default-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'; sandbox X-XSS-Protection: 0 Transfer-Encoding: chunked [2026-07-02T17:51:00Z] CONTROL request: http://localhost:8080/vscode/unpkg/vpub/vext/1.0.0/extension/payload.html [2026-07-02T17:51:01Z] --- fixed_v1.0.2 CONTROL headers --- HTTP/1.1 200 OK Date: Thu, 02 Jul 2026 17:51:00 GMT Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Content-Type: text/plain;charset=utf-8 X-Content-Type-Options: nosniff X-Frame-Options: DENY Cache-Control: max-age=86400, must-revalidate, public Content-Security-Policy: default-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'; sandbox X-XSS-Protection: 0 Transfer-Encoding: chunked [2026-07-02T17:51:01Z] METADATA request: http://localhost:8080/api/vpub/vext/1.0.0 [2026-07-02T17:51:01Z] fixed_v1.0.2 metadata files.icon = http://localhost:8080/api/vpub/vext/1.0.0/file/payload.html [2026-07-02T17:51:03Z] Step 7: Computing variant verdict... [2026-07-02T17:51:03Z] VULN variant (/api/.../file/payload.html): CT=text/html|CSP=0|CD=0|INLINE_HTML=1 [2026-07-02T17:51:03Z] FIXED variant (/api/.../file/payload.html): CT=text/plain;charset=utf-8|CSP=1|CD=0|INLINE_HTML=0 [2026-07-02T17:51:03Z] VULN control (/vscode/unpkg/.../payload.html): CT=text/html|CSP=0|CD=0|INLINE_HTML=1 [2026-07-02T17:51:03Z] FIXED control (/vscode/unpkg/.../payload.html): CT=text/plain;charset=utf-8|CSP=1|CD=0|INLINE_HTML=0 [2026-07-02T17:51:03Z] Variant reproduced on VULNERABLE (v1.0.1): true [2026-07-02T17:51:03Z] Variant reproduced on FIXED (v1.0.2) -> BYPASS: false CVE-2026-13323 VARIANT verdict ================================ Variant: HTML smuggled as extension ICON, served via /api/{ns}/{ext}/{ver}/file/payload.html (alternate entry point vs. repro /vscode/unpkg/.../extension/payload.html) VULNERABLE (v1.0.1) variant headers: CT=text/html|CSP=0|CD=0|INLINE_HTML=1 FIXED (v1.0.2) variant headers: CT=text/plain;charset=utf-8|CSP=1|CD=0|INLINE_HTML=0 VULNERABLE (v1.0.1) control headers: CT=text/html|CSP=0|CD=0|INLINE_HTML=1 FIXED (v1.0.2) control headers: CT=text/plain;charset=utf-8|CSP=1|CD=0|INLINE_HTML=0 Variant reproduced on VULNERABLE: true Variant BYPASS on FIXED: false Outcome: alternate_trigger_on_vulnerable_only (fix covers the variant -> NOT a bypass) Wrote /data/pruva/runs/ca30852c-9595-4b4b-b0b6-592b9e72d11a/bundle/logs/vuln_variant/variant_result.json [2026-07-02T17:51:03Z] Variant reproduction script complete. [2026-07-02T17:51:03Z] Cleaning up Docker containers... [2026-07-02T17:51:07Z] Step 1: Creating variant VSIX (HTML smuggled as icon)... Created vpub.vext-1.0.0.vsix (2031 bytes) [2026-07-02T17:51:07Z] Variant VSIX created at /data/pruva/runs/ca30852c-9595-4b4b-b0b6-592b9e72d11a/bundle/vuln_variant/vpub.vext-1.0.0.vsix [2026-07-02T17:51:07Z] Step 2: Creating application.yml... [2026-07-02T17:51:07Z] Application config created [2026-07-02T17:51:07Z] Step 3: Starting PostgreSQL on port 5436... fc3e515c52d18e512a730d4acd6f3d0110ec90664df28995dd663c6b86d04d37 [2026-07-02T17:51:12Z] PostgreSQL started [2026-07-02T17:51:12Z] Step 6: Running variant tests against vulnerable and fixed versions... [2026-07-02T17:51:12Z] ===== Testing vuln_v1.0.1 ===== DROP SCHEMA CREATE SCHEMA GRANT GRANT c9c46d69907a60396e95bc7c26e01389b5f0a071646bfaacd388a6fcb4922d7a [2026-07-02T17:51:20Z] Waiting for vuln_v1.0.1 server to start... [2026-07-02T17:52:53Z] ERROR: Server vuln_v1.0.1 did not become healthy [2026-07-02T17:52:53Z] Cleaning up Docker containers...