The popular online text editor Etherpad has two critical vulnerabilities that can be combined by an attacker to take over an instance and its data, allowing them to steal or manipulate sensitive information. The Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious JavaScript code into the chat history, while the Argument Injection vulnerability enables arbitrary code execution on the server, potentially leading to full compromise of the installation. An attacker can exploit these vulnerabilities by controlling a user ID in chat messages and installing an attacker-controlled plugin, respectively. The XSS vulnerability has been fixed in version 1.8.14, but the Argument Injection vulnerability remains unpatched, requiring additional measures such as disabling admin users or limiting plugin names to trusted NPM package names. Users hosting Etherpad instances are advised to update to version 1.8.14 and prioritize data validation and sanitization during development.