Honestly it was not trivial, the custom emojis in the markdown parser seems to be vulnerable. Of course everything should be sanitized, but in practice there are cases where it’s hard to make a proper sanitization while retaining features to let users write weird stuff. This is not the case of “validate a username” that you know very well which regex to use and which character space.
I would actually say that this vulnerability should have been prevented using proper cookie security, which should make it impossible to steal the session via XSS.
I do acknowledge though that it’s not easy to take care of all of this when it’s 2 people working on everything (from design to frontend, passing for deployment etc.), especially if there are no specific competencies in appsec.
You can use docker inspect command to dump any meaningful info about the running containers. You can get details about networking, images etc.
Also you can check systemd units (or whatever your system uses) in case they are used to launch containers or docker compose files.
Running ps you should also be ablen to see if docker-compose is used, and in general this uses standard names (docker-compose.yml/.yaml), so you can simply find / -name those.