CVE-2026-13601: Permissive CSP Enables Sandbox Escape via CSS Injection — Casky — Casky