If you are using https://github.com/wereii/lemmy-thumbnail-cleaner please stop and disable it as soon as possible.
We have found a security issue that allows any user to make LTC delete any locally hosted image.
I will be posting more details soon and editing this to include the information.
On point summary.
And I was just about to write that I have confirmed SQLi is not possible to find out I have missed something that might in-turn make it possible! holy hell back to drawing board
Yikes. Thanks for putting in the works and sharing your findings to you and @[email protected].