Back in the day I wrote a PoC exploit for my employers app that abused an image upload api by embedding a jar file inside an svg as XXE which then got me RCE. Fun times.