The exploit at $URL is confirmed to work by the maintainer.
oss-security classified this as "not a security vulnerability" and did not assign a CVE. Closing INVALID.