This was fixed in April with the release of imagevue 16.2. You still will be able to see XML relative folder tree, but that is pretty futile aslong as there is no upload vulnerability.