Zeronet: Death By Svg
An often overlooked feature of SVGs is their ability to have embedded scripts, like HTML pages.
When displayed in an <img> tag, SVGs are not permitted to execute scripts, however, when they are viewed directly, they are.
This occasionally leads to XSS vulnerabilities in web services.
Impact on ZeroNet
This meant that SVG files could be used to arbitrarily control a ZeroNet client, and do anything the user could normally do, such as post on ZeroMe, view and send ZeroMail messages, download and seed websites and files, and toggle Tor mode.
Fixing the issue
I contacted Tamas, who quickly responded and got the issue fixed a couple weeks later. The fix was published in release 0.5.7. I highly suggest all ZeroNet users update ASAP.
It is important to keep in mind what mime-types to trust, as more than just HTML can embed/execute code.