There has been a vulnerability discovered in Lemmy. I have no reason to believe lemmy.cafe itself has been breached. We do no have any custom emojis, which appears to have been the culprit of some XSS attack.

As a safety precaution, however, I have applied the suggested fix and rotated the JWT token, which will have invalidated everyone's session.