{
  "same_root_cause": true,
  "confidence": "high",
  "parent_claim": "GHSA-jf2j-jhvf-rc56 / CVE-2026-23698: Vtiger CRM through 8.4.0 allows authenticated admin users to achieve RCE by uploading a crafted module ZIP that places PHP files in the web-accessible modules/ directory.",
  "variant_claim": "The same Module Manager Import endpoint also accepts language-pack and layout-pack ZIPs, extracting attacker-controlled PHP files into the web-accessible languages/ and layouts/ directories.",
  "shared_root_cause": "The Module Manager Import feature extracts user-supplied ZIP archives directly into directories under the web document root without enforcing a per-type allowlist of safe file extensions and contents. As a result, any PHP file included in the archive can be reached and executed by the web server without going through Vtiger's authentication/authorization front controller.",
  "same_vulnerable_sink": true,
  "sink_description": "ZIP extraction into web root via the Vtiger Module Manager import dispatcher (modules/Settings/ModuleManager/actions/Basic.php::importUserModuleStep3), delegated to Vtiger_PackageImport, Vtiger_LanguageImport, or Vtiger_LayoutImport depending on the manifest type.",
  "same_trust_boundary": true,
  "trust_boundary_description": "All three paths require an authenticated administrator to interact with the Module Manager Import endpoint. The attacker-controlled input is the uploaded ZIP archive. The impact crosses from the authenticated admin context to persistent, unauthenticated remote code execution because the extracted PHP files are outside Vtiger's routing layer.",
  "differences_from_parent": [
    "The parent PoC uses a module ZIP (type=module) and extracts to modules/<module>/.",
    "The language variant uses a language ZIP (type=language) and extracts to languages/<prefix>/ via Vtiger_LanguageImport::import_Language().",
    "The layout variant uses a layout ZIP (type=layout) and extracts to layouts/<name>/skins/<name>/ via Vtiger_LayoutImport::import_Layout(), bypassing an incomplete PHP content filter with the short-echo tag <?=.",
    "No vendor patch is available, so the variants are confirmed as alternate triggers on the vulnerable version rather than bypasses of a fixed version."
  ],
  "evidence_refs": [
    "bundle/logs/vuln_variant_reproduction_steps.log",
    "bundle/vuln_variant/proof.log",
    "bundle/vuln_variant/patch_analysis.md"
  ]
}
