CVE-2026-48816 variant/bypass: CONFIRMED on fixed @sigstore/verify 3.1.1 (f074710). Fix gates getTLogTimestamp on inclusionPromise PRESENCE only; relies on verifyTLogs()->verifyTLogSET() to bind integratedTime, but verifyTLogs iterates entity.tlogEntries (not entity.timestamps). A decoupled SignedEntity (tlogEntries empty) with a FORGED inclusionPromise + attacker integratedTime passes the presence-check, the SET is never validated, and verify() succeeds -> expired cert accepted on the FIXED version. Negative control: coupled bundle path rejects forged SET (TLOG_INCLUSION_PROMISE_ERROR) on both versions. Original inclusionProof-only vector closed on fixed (TIMESTAMP_ERROR), open on vulnerable. Exit 0. Repo restored to f074710, clean.