[INFO] ToolHive CVE-2026-58196 variant reproduction started at 2026-07-16T08:49:27Z [INFO] Bundle root: /data/pruva/runs/35288167-4f28-4e14-8f1c-709345bff069/bundle [INFO] === Variant attempt on vulnerable using ToolHive v0.30.0 Commit: bc4beddb921523d1f314b82b5b9d4249ee0a605b Built: 2026-06-17 16:38:55 UTC Go version: go1.26.4 Platform: linux/amd64 === [INFO] vulnerable: remote requests=2, auth-server events=9, internal canary events=2 [INFO] === Variant attempt on fixed using ToolHive v0.31.0 Commit: 493d030ed24b8c012db4c5717475a2386f5b72ce Built: 2026-06-24 19:50:53 UTC Go version: go1.26.4 Platform: linux/amd64 === [INFO] fixed: remote requests=2, auth-server events=9, internal canary events=2 [INFO] === Variant attempt on latest using ToolHive v0.38.0 Commit: 116421213382e82016067d32581b61f4fe1ab807 Built: 2026-07-15 17:29:14 UTC Go version: go1.26.5 Platform: linux/amd64 === [INFO] latest: remote requests=2, auth-server events=9, internal canary events=2 [INFO] Variant canary-hit summary: vulnerable=1 fixed_v0.31.0=1 latest_v0.38.0=1 [CONFIRMED] Variant bypass reproduced on fixed ToolHive v0.31.0.