Often links can be abused to take control of pages. This is a problem that is known for a very long time but it seems many developers are not aware of this or forgot about this.
Valid URLs can use a wide range of different protocols. This requires strict validation of user supplied URLs combined with correct checks. Too lax or wrong checks can quickly lead to vulnerabilities.
npm, pnpm and yarn were vulnerable to binary planting and arbitrary file (over)write through the bin field in package.json.
This is a post mortem report of a hacked WordPress instance with a cryptominer in 2018 which was handled by me.
This is a post mortem report of a contact form spam attack in 2018 which was handled by me.