pre-auth 1 One byte of URL-encoding past a WAF: notes on CVE-2026-40050 and the GraphQL endpoint nobody fenced Jun 2, 2026