Thanks for reporting the issue.
The XSS was related to the filenames.
Although most operating systems don't allow users to upload files containing greater-than/less-than symbols, it's possible to add them by tampering the requests and changing the filename.
From there you could change the filename to "<script>alert("xss")</script>" and run an XSS.
This has now been patched by encoding the characters.
Once we're a bit more stable we'll be sure to release a bug bounty program.
Although most operating systems don't allow users to upload files containing greater-than/less-than symbols, it's possible to add them by tampering the requests and changing the filename.
From there you could change the filename to "<script>alert("xss")</script>" and run an XSS. This has now been patched by encoding the characters.
Once we're a bit more stable we'll be sure to release a bug bounty program.