1. Mercato API Security Flaw: Missing Route Metadata Left Key Sales Endpoints Unprotected
A critical security flaw in Mercato's API router defaulted routes to public access when their metadata was missing or undefined, leaving at least four key sales endpoints unprotected. The vulnerability, discovered in the `checkAuthorization` function, meant that routes for `shipments`, `order-adjustments`, `quote-adjus...