{
  "schema_version": 1,
  "updated_at": "2026-07-05T08:50:23.402028781Z",
  "entries": [
    {
      "logical_path": "repro/reproduction_steps.sh",
      "stage": "repro",
      "role": "primary_reproducer",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Self-contained real-product reproduction script for CVE-2026-5524 using original Divi Form Builder v5.1.2 WordPress plugin and fixed negative control.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "logs/vuln/execution_response.txt",
      "stage": "repro",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "HTTP response body from accessing the uploaded .phtml file proving remote PHP code execution as www-data.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "logs/vuln/htaccess.txt",
      "stage": "repro",
      "role": "runtime_manifest",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "The plugin's .htaccess in de_fb_uploads/ that blocks ONLY .php — the bypass component enabling .phtml execution.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "logs/fixed/upload_response.txt",
      "stage": "repro",
      "role": "validation_verdict",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Negative control: patched 5.1.9 endpoint rejects the .phtml upload (server-side allowlist).",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "repro/runtime_manifest.json",
      "stage": "repro",
      "role": "runtime_manifest",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Runtime evidence manifest proving api_remote service start, health check, target path reached, and concrete proof artifacts.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "repro/rca_report.md",
      "stage": "repro",
      "role": "root_cause_analysis",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Root-cause analysis explaining user-controlled acceptFileTypes in do_image_upload and runtime proof results.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "repro/validation_verdict.json",
      "stage": "repro",
      "role": "validation_verdict",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Structured explicit validation verdict for downstream systems.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "logs/vuln/marker_file.txt",
      "stage": "repro",
      "role": "marker_output",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Server-side marker file written by the executed PHP payload, proving code execution beyond the HTTP response.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "logs/vuln_attempt_1/result.json",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Vulnerable runtime proof showing original plugin upload accepted and .phtml payload executed as www-data.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "logs/fixed_attempt_1/result.json",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Fixed negative control showing patched original project path rejects executable upload and no marker executes.",
      "declared_by": "agent_tool"
    }
  ]
}
