<img src=x onerror=alert(document.domain)> OAuth2 server env defaults allow JWT forgery. Impact: Critical privilege escalation.