CVE-2026-44249: executable affected-version evidence for dependency-check
Requested Check
Please review the attached executable affected-version evidence and decide whether the affected-version data, package namespace, or consumer interpretation should be updated or explicitly documented.
Grouped Route
- candidate:
CVE-2026-44249
- route URL:
https://github.com/dependency-check/DependencyCheck
- targets:
dependency-check
- route kinds:
consumer-tool
- priority:
P2
- grouped queue rows:
1
- P0 rows in group:
0
Evidence Summary
- projection-loss versions:
0
- consumer false-negative versions:
0
- source-disagreement versions:
0
- report paths:
external_validation_reports/CVE-2026-44249_external_validation_report.md
Target-Specific Packets
| Target |
Route kind |
Priority |
Reason |
Body |
SHA-256 |
dependency-check |
consumer-tool |
P2 |
consumer interpretation misses witness-vulnerable versions |
external_validation_submissions/CVE-2026-44249__dependency-check.md |
926eab78508652c6a73035d3db5a03a8d6e7270f204c95f4c9ff8914a18d5886 |
Reproduction
make cve-2026-44249
make interval-certificates topology-theorem order-sensitivity version-dags
make install-consumer-tools consumer-tools-all consumer-tools-dependency-check consumer-tools-gradle-cyclonedx
make public-prevalence case-certificates verify-certificates topology-aware validate-artifact
Full Packet Text
The target-specific packet bodies are included below so this grouped issue remains self-contained.
Packet: dependency-check / consumer-tool
CVE-2026-44249: executable affected-version evidence for dependency-check
Requested Check
Please review whether the affected-version data for this vulnerability should be updated, or whether the current exclusion is intentional and should be represented explicitly for downstream consumers.
Reason For Contact
- target:
dependency-check
- route kind:
consumer-tool
- reason: consumer interpretation misses witness-vulnerable versions
- report:
external_validation_reports/CVE-2026-44249_external_validation_report.md
Executable Certificate
- candidate:
CVE-2026-44249
- bitstring:
110110
- minimum interval cover:
2
- V-S-V witnesses:
1
- zero-error single intervals:
0
- full-recall false-positive lower bound:
1
- zero-false-positive false-negative lower bound:
2
Projection-Loss Coordinates
- none for the claim source in the tested matrix
Consumer Observations
dependency-check: rows=6, ok=6, false_negatives=4, false_positives=0
- false-negative versions:
4.1.133.Final, 4.1.134.Final, 4.2.0.Final, 4.2.14.Final
Source Disagreements
- none recorded for this case
Reproduction
make cve-2026-44249
make interval-certificates topology-theorem order-sensitivity version-dags
make consumer-tools public-prevalence case-certificates verify-certificates
Primary Evidence Files
consumer_matrix: out/consumer_tools/latest/consumer_false_negative_matrix.csvdependency_check_consumer_matrix: out/consumer_tools/dependency-check-latest/consumer_false_negative_matrix.csvgradle_cyclonedx_consumer_matrix: out/consumer_tools/gradle-cyclonedx-latest/consumer_false_negative_matrix.csvorder_sensitivity: out/order_sensitivity/order_sensitivity.csvoutcomes: out/witness_runs/CVE-2026-44249/latest/outcomes.csvprojection_decision_matrix: out/metadata_analysis/CVE-2026-44249/projection_decision_matrix.csvprojection_loss_summary: out/metadata_analysis/CVE-2026-44249/projection_loss_summary.csvpublic_prevalence_by_case: out/public_prevalence/latest/public_dependency_prevalence_by_case.csvtheorem: out/theorem/single_interval_impossibility.json
CVE-2026-44249: executable affected-version evidence for dependency-check
Requested Check
Please review the attached executable affected-version evidence and decide whether the affected-version data, package namespace, or consumer interpretation should be updated or explicitly documented.
Grouped Route
CVE-2026-44249https://github.com/dependency-check/DependencyCheckdependency-checkconsumer-toolP210Evidence Summary
000external_validation_reports/CVE-2026-44249_external_validation_report.mdTarget-Specific Packets
dependency-checkconsumer-toolP2external_validation_submissions/CVE-2026-44249__dependency-check.md926eab78508652c6a73035d3db5a03a8d6e7270f204c95f4c9ff8914a18d5886Reproduction
Full Packet Text
The target-specific packet bodies are included below so this grouped issue remains self-contained.
Packet: dependency-check / consumer-tool
CVE-2026-44249: executable affected-version evidence for dependency-check
Requested Check
Please review whether the affected-version data for this vulnerability should be updated, or whether the current exclusion is intentional and should be represented explicitly for downstream consumers.
Reason For Contact
dependency-checkconsumer-toolexternal_validation_reports/CVE-2026-44249_external_validation_report.mdExecutable Certificate
CVE-2026-4424911011021012Projection-Loss Coordinates
Consumer Observations
dependency-check: rows=6, ok=6, false_negatives=4, false_positives=04.1.133.Final, 4.1.134.Final, 4.2.0.Final, 4.2.14.FinalSource Disagreements
Reproduction
Primary Evidence Files
consumer_matrix:out/consumer_tools/latest/consumer_false_negative_matrix.csvdependency_check_consumer_matrix:out/consumer_tools/dependency-check-latest/consumer_false_negative_matrix.csvgradle_cyclonedx_consumer_matrix:out/consumer_tools/gradle-cyclonedx-latest/consumer_false_negative_matrix.csvorder_sensitivity:out/order_sensitivity/order_sensitivity.csvoutcomes:out/witness_runs/CVE-2026-44249/latest/outcomes.csvprojection_decision_matrix:out/metadata_analysis/CVE-2026-44249/projection_decision_matrix.csvprojection_loss_summary:out/metadata_analysis/CVE-2026-44249/projection_loss_summary.csvpublic_prevalence_by_case:out/public_prevalence/latest/public_dependency_prevalence_by_case.csvtheorem:out/theorem/single_interval_impossibility.json