Lemmy was/is vulnerable for XSS attacks.
Hackers try to inject JavaScript code that tries to steal your (ideally admin) cookie credentials. It seems that the admin account of lemmy.world was compromised this way (MichelleG). Other instances aren’t safe either. Which could point to the custom emojis feature in the federate comments, meaning a lot of external instances could be effected by now.
Incorrect escaping of user input data could lead to these issues. Kbin just recently discovered a similar regression issue and which has been solved by now. But it seems that Lemmy was or still is vulnerable to this attack factor.
Mitigation action Lemmy users: You might want to disable JavaScript in the meanwhile.
Mitigation action for Lemmy server owner: Disable custom emoji:
DELETE FROM custom_emoji_keyword;
DELETE FROM custom_emoji;
Clean-up the exploit content:
UPDATE comment SET content = '<REMOVED BY ADMIN>' WHERE content LIKE '%![" onload%';
UPDATE private_message SET content = '<REMOVED BY ADMIN>' WHERE content LIKE '%![" onload%';
UPDATE post SET body = '<REMOVED BY ADMIN>' WHERE body LIKE '%![" onload%';
UPDATE post SET name = '<REMOVED BY ADMIN>' WHERE name LIKE '%![" onload%';
Rotate your JWT secret (invalidates all current login sessions):
UPDATE secret SET jwt_secret = gen_random_uuid();
Note: Even just opening a link to a vulnerable Lemmy instance could allow hackers to steal your cookies or sessions credentials. Therefore I will not share or allow people to share URLs of comprised / vulnerable instances.