HackerOne reported vulnerability: Cross-site Scripting (XSS) Vulnerability in SVG attachments
<script> tags. Browsers are smart enough to ignore scripts embedded in SVG files included via IMG tags. However, a direct request for a SVG file will result in the scripts being executed.
So an embedded SVG as an attachment in an issue or avatar does not execute the code, but if a user clicks on the attachment the code will execute.