CVE-2026-13323 VARIANT verdict ================================ Variant: HTML smuggled as extension ICON, served via /api/{ns}/{ext}/{ver}/file/payload.html (alternate entry point vs. repro /vscode/unpkg/.../extension/payload.html) VULNERABLE (v1.0.1) variant headers: CT=text/html|CSP=0|CD=0|INLINE_HTML=1 FIXED (v1.0.2) variant headers: CT=text/plain;charset=utf-8|CSP=1|CD=0|INLINE_HTML=0 VULNERABLE (v1.0.1) control headers: CT=text/html|CSP=0|CD=0|INLINE_HTML=1 FIXED (v1.0.2) control headers: CT=text/plain;charset=utf-8|CSP=1|CD=0|INLINE_HTML=0 Variant reproduced on VULNERABLE: true Variant BYPASS on FIXED: false Outcome: alternate_trigger_on_vulnerable_only (fix covers the variant -> NOT a bypass)