alt Hacker NewsI'm giving them the benefit of the doubt, as the alternative would be that their developers are completely incompetent. The vulnerability is the equivalent to letting a user save HTML to a database and then injecting it into every page completely unsanitized.
Mintlify had a blacklist in place to not allow them to do this with most file types. Someone failed to add SVG to it. It's not like they weren't thinking about security. The challenge with security, as you know, is it's only as strong as it's weakest link. It only takes one ignorant/incompetent person in an entire organization to jeopordize the org. But even a competent person can make a crucial mistake.