GSSA-2026-04-0RTEGR2026-04-251.7 Low
Embed image and thumbnail URLs not validated on panel creation
The panel creation endpoint passed `data.image` and `data.thumbnail` straight into Discord embed builders without validating the URL scheme, accepting `data:`, `attachment:`, or arbitrary protocols.
The panel creation endpoint passed data.image and data.thumbnail straight into Discord embed builders without validating the URL scheme, accepting data:, attachment:, and arbitrary protocol values.