This is trivially exploitable to run code. Pointed-out-by: Tobias Klein
Attach a file by drag & drop or click to upload
