There is a stored XSS vulnerability in rambox 0.6.9 due to unsantized parameters in the name field when a user is adding a service. Since rambox runs on NodeJS this allows for the use of OS commands to be injected into an <a> or <img> tag.

Note: This code has only been tested on MacOS and may need to be reconfigured for other operating systems

The exploit code will create a service (using discord as a base), the shell requires that the system has mkfifo on it. You can of course swap out the payload for whatever you want.