Did y'all notice librsvg's CVE from right before GUADEC?  

Zac Sims just published a very nice analysis of how the Canva engineers found the bug.  

When URL parsers disagree: Discovery and walkthrough of CVE-2023-38633 in librsvg - https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/