Cheers for that. Many of these issues allow an authenticated user to do admin actions if they do the right things, so it seems you should never allow a user that you don’t fully trust to have an account.

But outside of this, there isn’t anything in there that on its own worries me given the nature of the platform (that is, that if it all burnt down I could retrieve all data from other sources). I’m no expert but a cursory look shows a bunch of potential issues that may be layered with other issues but no clear attack path except with prior knowledge.

These should obviously be fixed but there’s nothing that makes me want to rip my server off the open internet in a hurry.

What kids of things?

I’ve never worried that much because it’s not critical data and it’s containerised in Docker, but I am curious about specifics because large numbers of people expose it to the internet (through reverse proxies).

Isn’t there an assumption it would be behind a reverse proxy… At least I hope that’s the assumption.