Summary: Unauthenticated admin dashboard accessible at /admin_index.php - visiting https://host/hashtech-local/admin_index.php Steps to reproduce: 1. Open a browser and navigate to: https://host/hashtech-local/admin_index.php 2. Observe the administrative interface loads without requiring login. Vendor of the product(s) info: henzljw (GitHub account) Affected product(s)/code base info: Product: hashtech Version: Initial Commit (BETA) - March 2, 2021 (Git commit 5919dec, latest as of July 2021) Impact: Full access to gadgets management (create/modify/delete products, change prices and descriptions). Access to orders (view order details, change order status, refund/cancel orders). Access to payments metadata and workflows (view payment-related information; any admin payment workflows could be manipulated). Access to user accounts (view user PII, reset/change account settings, modify user roles). Ability to perform other administrative actions exposed by the dashboard (manage content, change site settings, potentially upload files). Consequences include data disclosure (customer data, orders), fraudulent transactions or refunds, product catalog manipulation, and more. Affected project: GitHub repo: https://github.com/henzljw/hashtech Recommendation: Add a centralized server-side authentication guard at the top of every admin page. Harden admin login. Defense-in-depth: apply webserver-level protections for admin endpoints. Audit all admin pages. Discovered by: Team DisclosureX