nostr:npub1sl8kylr2n9gpnfdg5k5jv9dwda5xm9chuyt73gz4mcl88q5fa0tser5emg You have filename anonymization/deduplication enabled, so it's safe for you right now. I assume the way it works is as follows:

1. You register on a target instance and upload a file named pack.json and structured exactly like regular emoji pack metadata, except with files leading to, say, ../../../../etc/passwd.

2. You then access the endpoint of the same instance that generates the archive out of emoji pack (don't know which, haven't looked for it yet, no idea how and why the fuck does it accept arbitrary json files instead of pack names that are already on instance).

3. Wa la, you now have a specific file from the machive Pleroma is on, packed pu nicely in an archive.