{
  "repository": "https://github.com/EstrellaXD/Auto_Bangumi.git",
  "commit_source": "git_rev_parse_and_tag_resolution",
  "commit_sha": "b090ec7b02fd91a10bf45c7702ad392ae3ad65ef",
  "repo_head_display": "main @ b090ec7b (3.2.8-4-gb090ec7b)",
  "submitted_target": {
    "target_kind": "docker_image",
    "commit_sha": "717ad11f7fad572ee8fe8ffe7edfe68bde9624c8",
    "version": "3.2.6",
    "ref": "3.2.6",
    "display": "ghcr.io/estrellaxd/auto_bangumi:3.2.6 (vulnerable baseline, < 3.2.8)"
  },
  "variant_target": {
    "target_kind": "docker_image",
    "commit_sha": "265b449fad6d753f061a09aaa03fcd3eb739a266",
    "version": "3.2.8",
    "ref": "3.2.8",
    "display": "ghcr.io/estrellaxd/auto_bangumi:latest (=3.2.8 build, the claimed patched version)"
  },
  "secondary_confirmed_targets": [
    {
      "target_kind": "docker_image",
      "commit_sha": "c8f402fd687c443d91e6c6dc3474032b9a9182eb",
      "version": "3.3.0-beta.2",
      "ref": "3.3.0-beta.2",
      "display": "ghcr.io/estrellaxd/auto_bangumi:3.3.0-beta.2 (latest beta)"
    }
  ],
  "tag_resolution": {
    "3.2.6": "717ad11f7fad572ee8fe8ffe7edfe68bde9624c8",
    "3.2.8": "265b449fad6d753f061a09aaa03fcd3eb739a266",
    "3.3.0-beta.2": "c8f402fd687c443d91e6c6dc3474032b9a9182eb",
    "main_HEAD": "b090ec7b02fd91a10bf45c7702ad392ae3ad65ef"
  },
  "image_reported_versions": {
    "ghcr.io/estrellaxd/auto_bangumi:3.2.6": "3.2.6",
    "ghcr.io/estrellaxd/auto_bangumi:latest": "3.2.8",
    "ghcr.io/estrellaxd/auto_bangumi:3.3.0-beta.2": "3.3.0-beta.2"
  },
  "image_version_probe": "docker exec <container> python3 -c \"import module.__version__ as v; print(v.VERSION)\" -> matches the tag version, confirming the image build carries the expected release VERSION (DEV_AUTH_BYPASS not active).",
  "fix_commit_referenced_by_advisory": "487bdfec545e805ae416e6ddf28651bd274d6a73",
  "notes": "Source identity resolved from the prepared project-cache repo (git rev-parse HEAD + git rev-list -n1 <tag>). The variant_target is the FIXED/LATEST version on which the bypass was proven: :latest currently resolves to the 3.2.8 build (image-reported VERSION=3.2.8), tag commit 265b449f. The bypass was additionally confirmed on :3.3.0-beta.2 (c8f402fd). All three tested images' reported VERSIONs match their tags, confirming the exact tested source identity."
}
