# Security Fixes Applied

## Critical
1. Missing exit() after json_response in SigningController::submit() — execution continued past error response
2. SQL injection via raw query() with integer interpolation (envelope_id, tplId)
3. Header injection (CRLF) via addslashes on Content-Disposition filename
4. XSS via unescaped flash messages rendered as HTML
5. Stored XSS via unescaped user_agent in audit trail

## High
6. SSRF via webhook URL — no private IP block
7. API wildcard CORS (Access-Control-Allow-Origin: *) exposes user data
8. MFA brute-force — no rate limiting on /mfa endpoint
9. CSV injection in exports — formula injection via user-controlled data
10. Signature base64 not validated — arbitrary data written to disk

## Medium
11. API rate limiter defined but never called
12. MIME type not verified against file extension — .php.pdf bypass
13. commandExists passes fixed strings — not user input, acceptable
14. is_superadmin only in session after first check — already correct
15. Open redirect via SESSION intended — url() wraps all redirects, safe