Batch endpoint on the api was vulnerable to XSPA due to incorrect validation of url parameter in the request body.