Tomorrow we want to publish files of Publii v.0.43 and fortunately as I see two dependencies will solve this issue (Electron and sharp) – it will be upgraded to the newest possible versions.
Fortunately due Publii nature this bug has limited impact, because firstly user has to use WebP image from untrusted source. I do not see a way to evaluate it remotely as e.g. in 1password where some other user from the shared vault could change a vault image to an affected one and then attack other users of the vault.
Do you appreciate the support you've received today? If so, consider donating to the Publii team by clicking here; we'll be sure to use your donation to make Publii even better!