The Django secret key was hard coded in the Github repository which is vulnerable as
https://huntr.dev/bounties/1-other-cythron/Tweango/ accordingly. Since the GitHub public API monitor every single git commit that is made, attacker can still find the key from commit lists.
The key is still exposed.
Attacker can still forge json objects and create csrf as the vulnerability has not been fixed properly.