test: add CVE-2025-11953 comment above second test case

Co-authored-by: huntie <2547783+huntie@users.noreply.github.com>

Author: Copilot

packages/cli-server-api/src/__tests__/openURLMiddleware.test.ts

@@ -53,6 +53,7 @@ describe('openURLMiddleware', () => {
     openURLMiddleware(req, res, next);
   });
 
+  // CVE-2025-11953
   test('should reject malicious URL with invalid hostname', (done) => {
     const maliciousUrl = 'https://www.$(calc.exe).com/foo';
     const req = createMockRequest('POST', {url: maliciousUrl});