{ "run_id": "gitea-gitea--CVE-2026-20912-20260318035506", "system_id": "gitea", "advisory_id": "gitea--CVE-2026-20912", "repro_profile_id": "gitea-file-upload", "verification_status": "verified-real", "verification_mode": "real", "artifact_mode": "local-fixture", "target_env": "local-docker", "compose_services": [ "app" ], "baseline_refs": [ "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/baseline.json" ], "attack_steps": [ { "kind": "runner", "tool": "gitea.file-upload", "status": "completed", "status_code": 200, "result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/attack.json" } ], "browser_refs": [ "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/assets/baseline.png", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/assets/baseline-dom.html", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/baseline-console.json", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/baseline-network.json", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/baseline-page.json", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/assets/proof.png", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/assets/proof-dom.html", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/proof-console.json", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/proof-network.json", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/proof-page.json" ], "browser_evidence": { "required": true, "present": true, "refs": [ "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/assets/baseline.png", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/assets/baseline-dom.html", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/baseline-console.json", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/baseline-network.json", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/baseline-page.json", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/assets/proof.png", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/assets/proof-dom.html", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/proof-console.json", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/proof-network.json", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/proof-page.json" ], "baseline_refs": [ "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/assets/baseline.png", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/assets/baseline-dom.html", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/baseline-console.json", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/baseline-network.json", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/baseline-page.json" ], "proof_refs": [ "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/assets/proof.png", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/assets/proof-dom.html", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/proof-console.json", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/proof-network.json", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/proof-page.json" ], "baseline_title": "Gitea File Upload Fixture", "proof_title": "Gitea File Upload Fixture - proof", "error_kind": null, "reason": null }, "container_log_refs": [ "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/docker/app.log" ], "request_log_refs": [ "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/attack.json", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/baseline.json" ], "compose_refs": [ "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/compose/compose.yaml" ], "timeline": [ { "at": "2026-03-18T03:55:06+00:00", "step": "select-advisory", "status": "completed", "detail": "gitea--CVE-2026-20912" }, { "at": "2026-03-18T03:55:06+00:00", "step": "resolve-repro-profile", "status": "completed", "detail": "gitea-file-upload" }, { "at": "2026-03-18T03:55:07+00:00", "step": "doctor", "status": "completed", "detail": "all checks passed" }, { "at": "2026-03-18T03:55:09+00:00", "step": "provision-compose-environment", "status": "ready", "detail": "" }, { "at": "2026-03-18T03:55:09+00:00", "step": "wait-ready", "status": "completed", "detail": "baseline urls ready (1)" }, { "at": "2026-03-18T03:55:09+00:00", "step": "seed-environment", "status": "completed", "detail": "steps=1" }, { "at": "2026-03-18T03:55:10+00:00", "step": "baseline-snapshot", "status": "completed", "detail": "urls=1" }, { "at": "2026-03-18T03:55:10+00:00", "step": "browser-replay-before-attack", "status": "completed", "detail": "" }, { "at": "2026-03-18T03:55:10+00:00", "step": "controlled-attack-chain", "status": "completed", "detail": "steps=1" }, { "at": "2026-03-18T03:55:11+00:00", "step": "browser-replay-after-attack", "status": "completed", "detail": "" }, { "at": "2026-03-18T03:55:11+00:00", "step": "collect-logs-and-evidence", "status": "completed", "detail": "container_logs=1" }, { "at": "2026-03-18T03:55:13+00:00", "step": "cleanup-compose-environment", "status": "completed", "detail": "docker compose down completed" }, { "at": "2026-03-18T03:55:13+00:00", "step": "update-registry-and-reports", "status": "completed", "detail": "gitea-gitea--CVE-2026-20912-20260318035506" } ], "success_evaluation": { "passed": true, "verification_status": "verified-real", "blocked_reason": null, "assertions": [ { "name": "baseline-ok", "kind": "baseline-ok", "passed": true, "detail": "baseline URLs responded without 5xx or transport errors" }, { "name": "runner-success", "kind": "runner-success", "passed": true, "detail": "upload marker accepted and listed" }, { "name": "browser-present", "kind": "browser-present", "passed": true, "detail": "browser evidence captured" } ] }, "historical_status": "verified-real", "latest_status": "verified-real", "started_at": "2026-03-18T03:55:06+00:00", "finished_at": "2026-03-18T03:55:13+00:00", "blocked_reason": null, "report_refs": { "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506", "report_md": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/report.md", "report_html": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/report.html", "timeline": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/timeline.mmd" } }