@tetra This sucks, but security vulnerabilities can happen to literally any project. Coincidentally, Mastodon also just released a fix for a critical security vulnerability.
They disclosed the vulnerability and released both a workaround and a fix for it nearly immediately after it was reported, which I think says a lot more about the trustworthiness of the project than the fact that a vulnerability existed.