@pomstan@xn–p1abe3d.xn–80asehdb /api/v1/pleroma/remote_interaction (public) is a known way.

And I’m not a full-disclosure-on-day0 person so if you want exploit details it’ll have to wait until I can be reasonably sure people have their software fixed.