Unauthenticated DB Access and Account Takeover via a Leaked Staging Domain
A hostname referenced inside a production JavaScript bundle pointed at a staging environment where every /api/admin/* route was reachable without authentication, including one that returned a password reset link for any user ID.