@[email protected] for anyone too bothered (like me) - this vuln only applies to authorized users. so single-user instances are fine, and those that are approve-only are mostly fine too (assuming people on your instance are not assholes). though that's actually some serious shit. and it's baffling for me how did that code not raise any questions on code review. i should really review all of the sharkey-specific code... i can't trust it anymore