{
  "vulnerable_signed_hmac_exec": true,
  "fixed_signed_hmac_exec": true,
  "vulnerable_commit": "26a2d519c59c620e2b0a54d0baf33889d7d5db0a",
  "fixed_commit": "f95b0ff51a655edcbcc060a3d74b43e3f20b9585",
  "bypass_security_scope": false,
  "note": "The only bypass-like behavior found is that a queue item with a correct site HMAC executes on the fixed version. This requires knowledge/control of Security::getNonceKey() or same-process/local write capability, so it does not cross the same remote/API trust boundary as the reproduced CVE."
}
