{"claim_outcome": "confirmed", "claim_block_reason": null, "repro_result": "confirmed", "validated_surface": "api_remote", "evidence_scope": "production_path", "claimed_impact_class": "code_execution", "observed_impact_class": "code_execution", "exploitability_confidence": "high", "attacker_controlled_input": "authenticated low-privileged user with 'user: manage users' permission self-assigns a custom role with 'system: manage packages' via POST /api/user/{id}, then uploads and installs a malicious PHP package", "trigger_path": "POST /api/user/{id} with roles array containing custom role ID (not 3) -> POST /admin/system/package/upload -> POST /admin/system/package/install -> GET /packages/{name}/index.php?cmd=id", "end_to_end_target_reached": true, "sanitizer_used": false, "crash_observed": false, "read_write_primitive_observed": false, "exploit_chain_demonstrated": true, "blocking_mitigation": null, "inferred": false}