lol
guest SVG upload can trigger XXE and exfiltrate local file content
guest-readable user detail data exposes enough material to forge a frontend login cookie
