Calif discovered stored Cross-Site Scripting (XSS) vunerability in Substack