{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "Unauthenticated HTTP to com_pagebuilderck controller task endpoints (browse.ajaxAddPicture + surveyed alternate sinks)",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached_fixed": false,
  "target_path_reached_vulnerable": true,
  "runtime_stack": [
    "joomla-5.2",
    "php-8.2",
    "apache-2.4",
    "mariadb-10.11",
    "pagebuilderck-3.6.1-fixed"
  ],
  "tested_variants": [
    {
      "id": "C1",
      "task": "browse.ajaxAddPicture",
      "sink": "CKBrowse::ajaxAddPicture (arbitrary-extension file upload)",
      "fixed": "blocked_403_no_php",
      "vulnerable": "rce",
      "rce_capable": true
    },
    {
      "id": "C2",
      "task": "browse.ajaxCreateFolder",
      "sink": "CKBrowse::createFolder (folder creation)",
      "fixed": "blocked_403",
      "vulnerable": "reachable_http_200",
      "rce_capable": false
    },
    {
      "id": "C3",
      "task": "browse.getFiles",
      "sink": "CKBrowse::getImagesInFolder (file listing)",
      "fixed": "blocked_403",
      "vulnerable": "not_tested",
      "rce_capable": false
    },
    {
      "id": "C4",
      "task": "fonts.save",
      "sink": "fonts controller file_put_contents (forced font extensions)",
      "fixed": "blocked_403",
      "vulnerable": "reachable_http_403",
      "rce_capable": false
    },
    {
      "id": "C5",
      "task": "pixabay.upload",
      "sink": "pixabay controller remote fetch+write (forced img extensions, pixabay-only url)",
      "fixed": "blocked_403",
      "vulnerable": "reachable_http_200",
      "rce_capable": false
    },
    {
      "id": "C6",
      "task": "frontedition.createModule",
      "sink": "DB module insert (no file write)",
      "fixed": "blocked_500",
      "vulnerable": "reachable_http_500",
      "rce_capable": false
    },
    {
      "id": "C7",
      "task": "page.save",
      "sink": "page model save (DB write)",
      "fixed": "blocked_403",
      "vulnerable": "not_tested",
      "rce_capable": false
    },
    {
      "id": "C8",
      "task": "display",
      "sink": "view rendering (no .php write)",
      "fixed": "http_403_no_php_write",
      "vulnerable": "not_tested",
      "rce_capable": false
    },
    {
      "id": "C9",
      "task": "ajaxParamsCall",
      "sink": "arbitrary helper-method dispatch gadget (writeLabelsFile forces .txt)",
      "fixed": "blocked_403",
      "vulnerable": "reachable_http_200",
      "rce_capable": false
    },
    {
      "id": "C10",
      "task": "browse.ajaxAddPicture (admin entry /administrator/index.php)",
      "sink": "same upload sink via admin entry point",
      "fixed": "http_200_admin_login_redirect",
      "vulnerable": "not_tested",
      "rce_capable": true
    }
  ],
  "rce_marker_phase1": "none",
  "rce_marker_phase2": "/var/www/html/media/com_pagebuilderck/gfonts/exploit_shell.php",
  "proof_artifacts": [
    "logs/vuln_variant_evidence.log",
    "logs/fixed_version.txt",
    "vuln_variant/phase_results.json"
  ],
  "notes": "CVE-2026-56290 variant survey. bypass_on_fixed=False vulnerable_rce=True. On the FIXED version every controller-task variant is blocked (no .php written, no RCE marker). On the VULNERABLE version (fix reverted) browse.ajaxAddPicture yields RCE; alternate sinks are reachable but cannot deliver a .php web shell (forced safe extensions / DB-only writes). No bypass of the fix found."
}
