GHSA-9wxg-vf3r-56hc

## Summary

The Contracts Wizard generators printed `info.securityContact` and `info.license` verbatim into a single-line comment of the generated Solidity, Cairo, Stellar/Soroban, and Stylus source without rejecting line terminators. A newline (`\n` or `\r\n`) in either field ends the comment, so the text after it is emitted as source rather than remaining inside the comment — allowing arbitrary declarations to be injected into the generated contract.

## Impact

This only matters when these fields are filled from input other than the user who will use the generated contract. Normal self-service use does not meet that condition:

- **Web app, AI assistant, and CLI:** the user supplies these fields and uses their own output, so a line break only affects their own contract. (These fields are not URL-derived, so shared links cannot set them.) - **Self-hosted API:** same — the end user supplies the options and consumes the result.

The case that matters is an integration that fills these fields from untrusted input — for example, an MCP agent whose tool arguments are derived from content it processed. There, a newline in the value can add lines to output that otherwise looks like normal Wizard source. Impact is integrity-only; there is no execution on any Wizard service.

## Patches

Fixed by rejecting line terminators in `setInfo` — the single code path all surfaces use — so the value can no longer break out of the comment. Upgrade to the patched versions. `@openzeppelin/wizard-confidential` and `@openzeppelin/wizard-uniswap-hooks` reuse this `setInfo` through their `@openzeppelin/wizard` dependency and receive the fix once that dependency is updated to a patched version.