Security review for an AI-generated PR

Review the following pull request diff with security in mind. For each issue, return:

- Severity (CRITICAL, HIGH, MEDIUM, LOW)
- File + line range
- The actual vulnerability class (e.g., "unsanitized HTML render", "SQL string interpolation", "missing auth check on server action")
- The minimal fix

Focus your attention on:
1. Input from user / external API hitting the DB without parameterization
2. HTML rendering of untrusted strings (XSS surface)
3. Auth checks on every server action / API route
4. Secrets accidentally exposed to the client bundle (any non-NEXT_PUBLIC_* env var being imported into a Client Component)
5. Race conditions in optimistic-update flows
6. Open redirects in any redirect handler
7. Mass assignment / over-posting on update endpoints

If you find nothing in a category, say so explicitly. Don't pad with "consider documenting" non-issues.

Diff:
[PASTE DIFF]