{
  "ticket_id": "CVE-2026-60102",
  "stage": "vuln_variant",
  "verdict": "no_bypass",
  "variant_found": true,
  "bypass_found": false,
  "distinct_variant_confirmed": false,
  "tested_variant_count": 8,
  "tested_commits": {
    "vulnerable": "994f4a46fd76ea44eae2fe839216bb273ce49080",
    "fixed": "41f74b4acfc144e09013d04dd121e0a5da808361"
  },
  "variant_summary": "Eight alternate public-method entry points to the same Horde_Vfs_Smb command-injection sink were tested. All eight fire on the vulnerable commit, but none bypass the v3.0.1 fix.",
  "blocking_mitigation": "Commit 41f74b4 switches _execute() to an argv array passed to proc_open() and replaces the broken _escapeShellCommand() with _quoteSmbArg() for the smbclient -c mini-language. This removes /bin/sh from the call path for every public method that reaches the sink.",
  "evidence": "bundle/logs/vuln_variant/variant_run.log",
  "notes": "No bypass found. The v3.0.1 fix is complete for the alternate paths identified in this run."
}
