{
  "variant_id": "CVE-2026-50229-variant-001",
  "created_at": "2026-07-09T07:25:00Z",
  "variant_summary": "No distinct bypass or alternate XSS trigger found for CVE-2026-50229. The fix in numguess.jsp correctly restricts bean binding to the guess parameter. Two other example JSPs (colrs.jsp, carts.jsp) still use wildcard binding but were confirmed not to render unescaped attacker-controlled markup on the fixed release.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/apache/tomcat",
  "submitted_target": {
    "target_kind": "release",
    "version": "10.1.55",
    "commit_sha": "c70966726754f8b3ab63b5ac846a7e7cf6eb255a",
    "ref": "10.1.55",
    "display": "Apache Tomcat 10.1.55 (vulnerable)"
  },
  "variant_target": {
    "target_kind": "release",
    "version": "10.1.56",
    "commit_sha": "59f3f1ab4f905f94c9c99cad579d6afb3a935b66",
    "ref": "10.1.56",
    "display": "Apache Tomcat 10.1.56 (fixed)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "medium",
  "claimed_surface": "api_remote",
  "validated_surface": "api_remote",
  "required_entrypoint_kind": "endpoint",
  "required_entrypoint_detail": "GET /examples/jsp/num/numguess.jsp (original); candidate GET /examples/jsp/colors/colrs.jsp and GET /examples/jsp/sessions/carts.jsp (tested on fixed version)",
  "attacker_controlled_input": "HTTP GET parameter 'hint' on numguess.jsp (original); 'color1'/'color2'/'action' on colrs.jsp and 'itemId'/'submit' on carts.jsp (candidate variants)",
  "trigger_path": "/examples/jsp/num/numguess.jsp in the bundled Tomcat examples web application; candidate paths /examples/jsp/colors/colrs.jsp and /examples/jsp/sessions/carts.jsp",
  "observed_impact_class": "xss",
  "exploitability_confidence": "low",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "patch_complete",
  "blocking_mitigation": "The fix restricts <jsp:setProperty> to property=\"guess\" in webapps/examples/jsp/num/numguess.jsp, preventing the attacker from setting the hint property. The other wildcard-binding JSPs do not render attacker-controlled string properties unescaped.",
  "file_path": "webapps/examples/jsp/num/numguess.jsp",
  "line_start": 22,
  "line_end": 23,
  "secondary_anchors": [
    {
      "file_path": "webapps/examples/jsp/colors/colrs.jsp",
      "line_start": 19,
      "line_end": 20
    },
    {
      "file_path": "webapps/examples/jsp/sessions/carts.jsp",
      "line_start": 19,
      "line_end": 20
    }
  ],
  "review_scope_paths": [
    "webapps/examples/jsp/num/numguess.jsp",
    "webapps/examples/jsp/colors/colrs.jsp",
    "webapps/examples/jsp/sessions/carts.jsp",
    "webapps/examples/WEB-INF/classes/num/NumberGuessBean.java",
    "webapps/examples/WEB-INF/classes/colors/ColorGameBean.java",
    "webapps/examples/WEB-INF/classes/sessions/DummyCart.java"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": ["bundle/vuln_variant/reproduction_steps.sh"]
  }
}
