{"repository": "pagekit/pagekit", "commit_source": "release_tag_resolution", "commit_sha": "95446c5f08fc43993fad5e2b581743ffcce50c35", "submitted_target": {"target_kind": "release", "commit_sha": "95446c5f08fc43993fad5e2b581743ffcce50c35", "version": "1.0.18", "ref": "1.0.18", "display": "pagekit/pagekit 1.0.18 (release tag, commit 95446c5)"}, "variant_target": {"target_kind": "release", "commit_sha": "95446c5f08fc43993fad5e2b581743ffcce50c35", "version": "1.0.18", "ref": "1.0.18", "display": "pagekit/pagekit 1.0.18 (release tag, commit 95446c5) \u2014 only available version; no fixed ref exists"}, "resolution_method": "Official Pagekit 1.0.18 release ZIP (GitHub releases/download/1.0.18/pagekit-1.0.18.zip) deployed in a Docker container (php:7.4-apache + SQLite). The release corresponds to git tag 1.0.18 at commit 95446c5f08fc43993fad5e2b581743ffcce50c35 (verified via the project-cache repo mirror: git tag -l -> only '1.0.18'; git rev-parse HEAD -> 95446c5f08fc43993fad5e2b581743ffcce50c35; commit date 2020-01-20). app/system/config.php reports 'version' => '1.0.18'. The vulnerable saveAction check ('Cannot add/remove Admin Role') and the variant sink (UpdateController 'system: software updates' + SelfUpdater) were both confirmed present in the deployed source.", "fixed_version": null, "fixed_version_status": "unavailable", "fixed_version_blocker": "Pagekit project archived 2023-12-01. 1.0.18 is the only git tag and the latest commit; no patched or newer release exists. A bypass-of-fix determination is therefore not possible; the variant is confirmed on the only available (vulnerable) target.", "notes": "The Docker image 'pagekit-vuln-1018:repro' was built from the cached release directory and reused for the variant run. The variant container ('pagekit-variant') is isolated from the parent repro container and is removed at the end of the script; the repo checkout state is not mutated."}