This is outdated information
The updates system should now be more secure. ".." in filenames is now substituted with nothing, so in theory you shouldn't be able to do path traversal, there probably is a way still though.
curl -X POST -F 'filename=13-10-2023.html' https://kotiboksi.xyz/updates/
Do some experimenting with this command if you feel like it, if you find some kind of exploit contact me and i will give you something™
The main page also looks a bit nicer now, as the .html part in the buttons is removed.