{
  "claim_outcome": "blocked",
  "claim_block_reason": "fix_covers_surface",
  "repro_result": "negative_variant",
  "validated_surface": "api_remote",
  "evidence_scope": "production_path",
  "claimed_impact_class": "sql_injection",
  "observed_impact_class": "none",
  "exploitability_confidence": "low",
  "attacker_controlled_input": "JSON array element in POST /api/auditPublishing/getAll; also tested GET path parameter, body shape variations, content-type variations, and auth-bypass headers",
  "trigger_path": "POST /api/auditPublishing/getAll",
  "end_to_end_target_reached": true,
  "sanitizer_used": true,
  "crash_observed": false,
  "read_write_primitive_observed": false,
  "exploit_chain_demonstrated": false,
  "blocking_mitigation": "Patch 26.04.28-03 parameterizes the bundle-id IN clause and enforces push-publish authentication on AuditPublishingResource endpoints; all tested candidate paths return HTTP 401 on the fixed build with no SQLi time delay.",
  "inferred": false
}
