{
  "repository": "https://github.com/jeecgboot/JeecgBoot",
  "commit_source": "git_rev_parse",
  "commit_sha": "7df07a823fd558be857d0208ccae96342539fbc1",
  "submitted_target": {
    "target_kind": "git_tag",
    "commit_sha": "7df07a823fd558be857d0208ccae96342539fbc1",
    "version": "3.9.2",
    "ref": "v3.9.2",
    "display": "jeecgboot/JeecgBoot v3.9.2 (commit 7df07a8)"
  },
  "variant_target": {
    "target_kind": "git_commit",
    "commit_sha": "7df07a823fd558be857d0208ccae96342539fbc1",
    "version": "3.9.2",
    "ref": "v3.9.2",
    "display": "jeecgboot/JeecgBoot v3.9.2 (latest release tag; master HEAD 32a8dfe94f014f7a9d472bce83e08bb8cf9c10c3 is byte-identical for the affected controllers)"
  },
  "latest_default_branch_head": "32a8dfe94f014f7a9d472bce83e08bb8cf9c10c3",
  "latest_default_branch_resolution": "git ls-remote https://github.com/jeecgboot/JeecgBoot.git HEAD",
  "latest_release_tag": "v3.9.2",
  "byte_identity_check": "All four OpenAPI controllers (OpenApiAuthController, OpenApiPermissionController, OpenApiLogController, OpenApiController) fetched at master HEAD are byte-identical (diff -q) to the v3.9.2 checkout in the project cache.",
  "patch_status": "none",
  "patch_status_detail": "CVE-2026-58377 NVD/cvefeed status Deferred; SecAlerts lists No Patch; no patched release tag exists; master is unpatched.",
  "notes": "Because no official patch exists, the 'fixed-version' test reduces to testing the latest release / default branch, which is identical to the vulnerable code. The variant is confirmed on the latest available code (v3.9.2 == master for the affected files). Tested at runtime against the jeecg-system-start-3.9.2.jar built from commit 7df07a8."
}
