{
  "variant_outcome": "no_bypass_found",
  "bypass_on_fixed_version": false,
  "vulnerable_rce_confirmed": true,
  "relation_to_parent_claim": "same_root_cause_alternate_triggers_only_on_vulnerable",
  "fix_coverage_assessment": "comprehensive",
  "claim_block_reason": null,
  "blocking_mitigation": "CKFof::checkSecurity() in CKController::execute() (if ($task !== 'display') checkSecurity()) plus per-method checkSecurity() in browse/fonts/pixabay/frontedition/page controllers. The only arbitrary-extension upload sink (CKBrowse::ajaxAddPicture) is protected at both dispatch and method level on the fixed version.",
  "validated_surface": "api_remote",
  "evidence_scope": "production_path",
  "claimed_impact_class": "code_execution",
  "observed_impact_class_fixed": "blocked_403",
  "observed_impact_class_vulnerable": "code_execution",
  "phase1_fixed_http_codes": {
    "C1": "403",
    "C2": "403",
    "C3": "403",
    "C4": "403",
    "C5": "403",
    "C6": "500",
    "C7": "403",
    "C8": "403",
    "C9": "403",
    "C10": "200"
  },
  "phase2_vulnerable_http_codes": {
    "C1": "200",
    "C2": "200",
    "C4": "403",
    "C5": "200",
    "C6": "500",
    "C9": "200"
  },
  "rce_marker_phase1": "none",
  "rce_marker_phase2": "/var/www/html/media/com_pagebuilderck/gfonts/exploit_shell.php",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "unauthenticated HTTP POST uploading a PHP web shell via com_pagebuilderck browse.ajaxAddPicture with attacker-controlled path and filename; alternate sinks (fonts.save, pixabay.upload, browse.ajaxCreateFolder, frontedition.createModule, ajaxParamsCall gadget) surveyed",
  "trigger_path": "GET public page -> extract guest CSRF token -> POST to index.php?option=com_pagebuilderck&task=<controller.task>&<token>=1",
  "end_to_end_target_reached_fixed": false,
  "end_to_end_target_reached_vulnerable": true,
  "inferred": false,
  "notes": "Variant/bypass survey: the central execute() check covers all non-display tasks; the display exemption only renders views (no .php write). ajaxAddPicture is the only sink accepting attacker-controlled file extensions (extension allowlist commented out). All other file-write sinks force safe extensions (.css/.txt/font/img) or fixed paths, so they cannot deliver a .php web shell even when reachable. No bypass of the fix found for the file-upload-to-RCE root cause."
}
