| [CRITICAL] | Unauthenticated File Upload — Stored XSS |
| [CRITICAL] | Full API Access Without Authentication |
| [CRITICAL] | Swagger UI + OpenAPI Schema Exposed |
| [HIGH] | IDOR — Arbitrary Project Deletion |
| [HIGH] | Global Settings Writable Without Auth |
| [HIGH] | Weak Password Policy + No Rate Limiting |
| [MED] | No Data Isolation Between Users |
| [MED] | Wallet Input Validation Missing |