{
  "repository": "https://github.com/phpbb/phpbb.git",
  "commit_source": "git_rev_parse",
  "commit_sha": "3508484fdc18cd97eeab229da830055c79fcc59e",
  "submitted_target": {
    "target_kind": "release_tag",
    "commit_sha": "555f0aaa6b892efb2e6b6edd2362302a3ef8b339",
    "version": "3.3.16",
    "ref": "release-3.3.16",
    "display": "phpBB release-3.3.16 (vulnerable) — commit 555f0aaa6b892efb2e6b6edd2362302a3ef8b339"
  },
  "variant_target": {
    "target_kind": "release_tag",
    "commit_sha": "3508484fdc18cd97eeab229da830055c79fcc59e",
    "version": "3.3.17",
    "ref": "release-3.3.17",
    "display": "phpBB release-3.3.17 (fixed / target-for-bypass) — commit 3508484fdc18cd97eeab229da830055c79fcc59e"
  },
  "notes": "Source identity resolved from the durable project-cache git mirror at /data/pruva/project-cache/c431373e-3d22-4a59-aad9-ea7d91c40bf5/repo-mirrors/phpbb.git. release-3.3.16 and release-3.3.17 are annotated tags; the underlying commit SHAs were obtained via 'git rev-parse <tag>^{commit}' and cross-checked against 'git rev-parse HEAD' of the checked-out worktrees used to build the Docker images (repo/ -> 555f0aaa..., repo-fixed/ -> 3508484f...). The built images phpbb-cve2026-48611:vuln and :fixed correspond to these commits. No bypass was confirmed on the fixed target; this file is provided for source-traceability completeness.",
  "tested_vulnerable": {
    "ref": "release-3.3.16",
    "commit_sha": "555f0aaa6b892efb2e6b6edd2362302a3ef8b339",
    "phpbb_version": "3.3.16",
    "image": "phpbb-cve2026-48611:vuln",
    "runtime": "php:8.2-apache (Apache/2.4.67, PHP/8.2.32, mod_php), sqlite3, auth_method=db"
  },
  "tested_fixed": {
    "ref": "release-3.3.17",
    "commit_sha": "3508484fdc18cd97eeab229da830055c79fcc59e",
    "phpbb_version": "3.3.17",
    "image": "phpbb-cve2026-48611:fixed",
    "runtime": "php:8.2-apache (Apache/2.4.67, PHP/8.2.32, mod_php), sqlite3, auth_method=db"
  }
}
