“Can’t media format X run arbitrary code” is almost never an issue with the format itself and virtually always a bug with a particular decoder/player.

I actually held a presentation on it, yeah! It wasn’t really a webp problem, but an issue in the image decoder library which was used in basically… everything to open Webp. What happened was that you could tell the OS to build a super bad (Huffman Tree, which in turn led to the decoding not fitting in the allocated memory space and overflowing.

It’s a format published by Google without much industry input. I imagine, that’s why it isn’t seeing terribly much adoption.

AVIF and JPEG-XL might do better, but they’re still relatively young formats.