Combine that with CVE-2025-24010 and any website was able to read any file on developers' computers.

https://github.com/advisories/GHSA-vg6x-rcgg-rjx6