Security is built in layers. Dude the Poast vuln was just BARELY able to work. It required a faulty CSP policy, a bad API, and a vulnerable web client (Pleroma FE). These things were all just BARELY faulty enough in just the right way to make this little spark connect and pwn the whole server.