{
  "variant_id": "CVE-VINEXT-CIVETWEB-PUT-SSI-RCE-variant-1",
  "created_at": "2026-07-04T21:00:00Z",
  "variant_summary": "Alternate triggers for CivetWeb authenticated PUT + SSI #exec RCE: chunked PUT, WebDAV MOVE, and .shtm extension",
  "relation": "same_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/civetweb/civetweb",
  "submitted_target": {
    "target_kind": "commit",
    "commit_sha": "588860e30721bf5453b0440c390865a8e85dcae5",
    "display": "588860e3"
  },
  "variant_target": {
    "target_kind": "commit",
    "commit_sha": "3309a6cac05335aa4371a0c3750b42fbe05d3cb4",
    "display": "3309a6c"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "medium",
  "claimed_surface": "api_remote",
  "validated_surface": "api_remote",
  "required_entrypoint_kind": "http_method",
  "required_entrypoint_detail": "Authenticated PUT with Transfer-Encoding: chunked, or WebDAV MOVE after a PUT, or PUT to a .shtm file",
  "attacker_controlled_input": "SSI #exec directive uploaded via authenticated PUT or MOVE to a file matching the default ssi_pattern",
  "trigger_path": "HTTP PUT/MOVE of file matching ssi_pattern followed by HTTP GET, reaching send_ssi_file -> do_ssi_exec -> popen",
  "observed_impact_class": "code_execution",
  "exploitability_confidence": "high",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": null,
  "blocking_mitigation": "NO_POPEN compile-time flag removes the do_ssi_exec() sink, so all SSI #exec variants are blocked",
  "file_path": "src/civetweb.c",
  "line_start": 12785,
  "line_end": 12805,
  "secondary_anchors": [
    {
      "file_path": "src/civetweb.c",
      "line_start": 12855,
      "line_end": 12858
    },
    {
      "file_path": "src/civetweb.c",
      "line_start": 12500,
      "line_end": 12650
    },
    {
      "file_path": "src/civetweb.c",
      "line_start": 12335,
      "line_end": 12480
    }
  ],
  "review_scope_paths": [
    "src/civetweb.c"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh"
    ]
  }
}
