sunaurus just posted this in the lemmy dev chat:

Reposting from another channel to get this out to as many admins as possible:

Current mitigations:

Remove custom emoji

DELETE FROM custom_emoji_keyword;
DELETE FROM custom_emoji;

Overwrite content with the exploit

UPDATE comment SET content = '<REMOVED BY ADMIN>' WHERE content LIKE '%![" onload%';
UPDATE private_message SET content = '<REMOVED BY ADMIN>' WHERE content LIKE '%![" onload%';
UPDATE post SET body = '<REMOVED BY ADMIN>' WHERE body LIKE '%![" onload%';
UPDATE post SET name = '<REMOVED BY ADMIN>' WHERE name LIKE '%![" onload%';

Rotate your JWT secret (invalidates all current login sessions)

– back up your secret first, just in case

SELECT * FROM secret;

– generate a new secret

UPDATE secret SET jwt_secret = gen_random_uuid();

Probably worth doing