Looks like the website has been overwhelmed with spam, and, possibly hacked/exploited [1]. It looks like someone has been able to create directories & upload scripts [2]?
I do bug bounty in my spare time so this was an interesting live find.
>>update+(OP)
Scripts are permitted in html uploads (all content is iframed and served from a separate domain), though I will go through and remove blank directories for now.
I’ll likely add checks for an index.html for any upload and turn off indexing in the future to prevent these.