Uploading an HTML file to the repository triggers a transformation in the background. If the HTML file contains an <img> tag, then the server-side job would try to render the HTML and send an HTTP request to the URL specified in the <img> tag. These transformations that follow image links are vulnerable to Blind Server-Side Request Forgery (BSSRF) attacks.
In order to stop this from happening HTML pipelines that use LibreOffice needs to be changed to convert from HTML to PDF/IMAGE via TXT instead. With this approach the LibreOffice pipelines will not be used, but you’ll still be able to see the thumbnails and document previews (although the HTML is not rendered).