GHSA-wmjr-v86c-m9jj: Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions

## Summary - Vulnerable component: `multi-session` plugin’s `/sign-out` after-hook (`packages/better-auth/src/plugins/multi-session/index.ts`) - Issue: Hook trusts raw multi-session cookies and forwards unsanitized tokens to `internalAdapter.deleteSessions`, allowing forged cookies to revoke arbitrary sessions. - Status: Reproduced locally with updated proof-of-concept. ## Impact Any authenticated attacker who can obtain the plain session token of another user (via log leaks, backups, etc.) can forge a multi-session cookie and trigger `/sign-out`. The hook extracts the attacker-supplied token…