Via HackerOne. An attacker with access to both Phame and the filesystem could potentially load a skin that lives outside of the configured skin directories, because we had insufficient checks on the actual skin at load time.

Attempted to build a blog with an invalid skin; got an exception instead of a mis-load of a sketchy skin.