The XSS vulnerability occurs because: 1) SVG files with JS are accepted via media type detection (get_media_type), and 2) The preview rendering (View::display) serves them without proper security headers. The core vulnerability manifests in the View::display function which outputs content without adequate CSP protection. The get_media_type function enables the attack vector by allowing SVG uploads. The merge request shows security headers were added to the preview response, confirming View::display was the vulnerable entry point.