@thisismissem Wow, and there I thought (even with looking in the diff, granted I'm not familiar with Mastodon's codebase) it was just injecting weird posts that weren't actually made by the user.

At least I asserted correctly that Pleroma isn't vulnerable (I'd say it fundamentally can't, it all goes through the same validation process).