fastapi is vulnerable to cross-site request forgery (CSRF). The content-type headers are not verified before assuming files are of JSON type. This allows an attacker to inject and execute arbitrary Javascript via a content-type of text/plain
which would be rendered as HTML.