{
  "variant_id": "CVE-2026-60102-alt-smb-entrypoints",
  "created_at": "2026-07-08T00:00:00Z",
  "variant_summary": "Alternate Horde_Vfs_Smb public methods (deleteFile, writeData, rename, readFile, deleteFolder, isFolder, listFolder) reach the same shell-injection sink as the original createFolder repro. The v3.0.1 fix covers all of them, so no bypass exists.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/horde/Vfs",
  "submitted_target": {
    "target_kind": "commit",
    "commit_sha": "994f4a46fd76ea44eae2fe839216bb273ce49080",
    "version": "3.0.0",
    "display": "Horde VFS v3.0.0 (commit 994f4a46)"
  },
  "variant_target": {
    "target_kind": "commit",
    "commit_sha": "41f74b4acfc144e09013d04dd121e0a5da808361",
    "version": "3.0.1",
    "display": "Horde VFS v3.0.1 (commit 41f74b4)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "library_api",
  "validated_surface": "library_api",
  "required_entrypoint_kind": "function_call",
  "required_entrypoint_detail": "Horde_Vfs_Smb public methods: createFolder, deleteFile, writeData, rename, readFile, deleteFolder, isFolder, listFolder",
  "attacker_controlled_input": "Filename or path string supplied to the VFS method",
  "trigger_path": "Horde_Vfs_Smb::{method} -> _command() -> _execute() -> proc_open() (string form on vulnerable; argv array on fixed)",
  "observed_impact_class": "code_execution",
  "exploitability_confidence": "none",
  "evidence_scope": "tested_vulnerable_and_fixed_multiple_methods",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "fix_covers_variant",
  "blocking_mitigation": "v3.0.1 commit 41f74b4 removes the shell-string proc_open() call and quotes smbclient -c arguments, so the same payload no longer reaches /bin/sh",
  "file_path": "lib/Horde/Vfs/Smb.php",
  "line_start": 691,
  "line_end": 730,
  "secondary_anchors": [
    {
      "file_path": "lib/Horde/Vfs/Smb.php",
      "line_start": 602,
      "line_end": 623
    },
    {
      "file_path": "lib/Horde/Vfs/Smb.php",
      "line_start": 579,
      "line_end": 596
    }
  ],
  "review_scope_paths": [
    "lib/Horde/Vfs/Smb.php",
    "test/Unit/SmbCommandInjectionTest.php"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/variant_run.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh"
    ]
  }
}
