We had a CSRF which could not be used at all anyway. Of course the spot was fixed in a minute after reporting.

Part of the data is still stored in floats, we are upgrading at the moment and we aim to release the new version live this night.

On both points I can say honestly that neither the found CSRF could have harmed a user, nor the floats (on the datatypes we still use them) could cause crucial loss of data.