For 5 character hash it's very easy to get collisions. People could "overwrite" other users' images by mining a nonce to their own image that creates a hash collision.

Maybe a 15-30 character substring of the full hash could be used to match the url quite safely. But full hash url would be cool for future-proof interoperability between hosts.