1. CSRF Protection Absent on Key API Endpoints: Default Config Exposes Admin Actions to Malicious Requests
A security vulnerability has been identified in multiple state-mutating REST API endpoints under `/api/v1/`, where Cross-Site Request Forgery (CSRF) token validation is not enforced when the default configuration `WTF_CSRF_ENABLED` is set to `False`. The flaw affects administrative functions including dashboard saves, ...