[05:24:04] project cache dir: /data/pruva/project-cache/c431373e-3d22-4a59-aad9-ea7d91c40bf5 [05:24:04] worktree /data/pruva/project-cache/c431373e-3d22-4a59-aad9-ea7d91c40bf5/repo -> phpBB 3.3.16 (expected release-3.3.16) [05:24:04] worktree /data/pruva/project-cache/c431373e-3d22-4a59-aad9-ea7d91c40bf5/repo-fixed -> phpBB 3.3.17 (expected release-3.3.17) [05:24:04] image phpbb-cve2026-48611:vuln already present, reusing [05:24:04] image phpbb-cve2026-48611:fixed already present, reusing [05:24:05] container phpbb-cve2026-48611-vuln healthy (Apache serving on :80 inside container) [05:24:06] container phpbb-cve2026-48611-fixed healthy (Apache serving on :80 inside container) [05:24:06] === EXPLOIT: vulnerable 3.3.16 === [05:24:06] vulnerable build: session *_u cookie value = 2 (admin is 2) [05:24:06] vulnerable build: admin indicators in index page (ACP link count) = 2; admin name match = 'username-coloured">admin' [05:24:06] === EXPLOIT: fixed 3.3.17 === [05:24:06] fixed build (ucp.php path): *_u cookie = 1 [05:24:06] fixed build (controller path): *_u cookie = 1; login error block present = 1 [05:24:06] VERDICT: vulnerable admin-hijack=yes; fixed-blocked=yes [05:24:07] RESULT: CONFIRMED - CVE-2026-48611 reproduced (admin hijack on 3.3.16, blocked on 3.3.17) [05:24:13] project cache dir: /data/pruva/project-cache/c431373e-3d22-4a59-aad9-ea7d91c40bf5 [05:24:13] worktree /data/pruva/project-cache/c431373e-3d22-4a59-aad9-ea7d91c40bf5/repo -> phpBB 3.3.16 (expected release-3.3.16) [05:24:13] worktree /data/pruva/project-cache/c431373e-3d22-4a59-aad9-ea7d91c40bf5/repo-fixed -> phpBB 3.3.17 (expected release-3.3.17) [05:24:14] image phpbb-cve2026-48611:vuln already present, reusing [05:24:14] image phpbb-cve2026-48611:fixed already present, reusing [05:24:14] container phpbb-cve2026-48611-vuln healthy (Apache serving on :80 inside container) [05:24:15] container phpbb-cve2026-48611-fixed healthy (Apache serving on :80 inside container) [05:24:15] === EXPLOIT: vulnerable 3.3.16 === [05:24:15] vulnerable build: session *_u cookie value = 2 (admin is 2) [05:24:15] vulnerable build: admin indicators in index page (ACP link count) = 2; admin name match = 'username-coloured">admin' [05:24:15] === EXPLOIT: fixed 3.3.17 === [05:24:15] fixed build (ucp.php path): *_u cookie = 1 [05:24:15] fixed build (controller path): *_u cookie = 1; login error block present = 1 [05:24:15] VERDICT: vulnerable admin-hijack=yes; fixed-blocked=yes [05:24:16] RESULT: CONFIRMED - CVE-2026-48611 reproduced (admin hijack on 3.3.16, blocked on 3.3.17)