And how exactly this can be exploited?

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.

these are some demo reports : https://hackerone.com/reports/179164 https://hackerone.com/reports/894876

And I'm talking about real world situation. As now you had access to back office because it's demo in normal circumstances you won't have it, so how you are going to exploit that, as visitors also can't upload these type of files.

consider if any users account is compromised and the attacker can use it as a target app and can use it to host such file and sent along the world wide... i hope if your considering like that, then there is no point of reporting issues to this repo since it is an backend and no admin will hack himself ...!!

In any case I have approved the issue as I can do cleanups in any case using third party libraries like https://github.com/darylldoyle/svg-sanitizer :)

also the exploit may differ from one's imagination ... as you know....

And yes that's what i wanted to tell. It's more like hacking itself :D