@szbalint @joeyh not sure if you saw the Guile vulnerability that we uncovered a while ago where live hacking sessions listening on localhost were vulnerable to confused deputy attacks through browsers and etc (notably, also activitypub instances that don't heed this advice) that allowed arbitrary code execution https://lists.gnu.org/archive/html/guile-user/2016-10/msg00007.html

localhost-only ain't