Currently, servers which are running the latest release "0.2.4e" and prior are vulnerable to numerous severe exploits including arbitrary item creation, arbitrary chunk generation, command block permissions bypass, forced crash denial of service, and unrestricted remote file upload.

Vulnerabilities

NbtPacket
A custom client may create arbitrary, otherwise unobtainable items due to permissive NBT modification. The scope of this vulnerability has been reduced in dev by commit 196083c, however the remaining permissive NBT editing can be exploited such as by example adding enchantments.

ConfigureSchematicannonPacket & TileEntityConfigurationPacket
Arbitrary chunk generation can be performed, leading to the uncontrolled consumption of server resources. The recent commit 6b34eb4 did resolve this weakness, however a malicious client is still capable of bypassing block editing restrictions. Editing of the world should respect World#isBlockModifiable(PlayerEntity,BlockPos) to verify a player's permission to do such operation.

SchematicPlacePacket
A non creative-mode player can place arbitrary schematics into the world due to missing permission checks. Moreover, creative players intended to have permission to place schematics bypass command block and block editing restrictions. Placement of block entity data should respect TileEntity#onlyOpsCanSetNbt() to guard against permission bypass. Respectively, entity spawning with user defined NBT should respect Entity#ignoreItemEntityData().

SchematicUploadPacket
A malicious client has full write access to the remote server's file system via a user specified file name and permissive binary data upload performed by ServerSchematicLoader. The scope of this vulnerability has been reduced in dev by the commit 334bde9 adding the correct ".nbt" requirement, however path traversal may still be performed, allowing escape of the intended "schematics/uploaded/{user}" directory. An example of path sanitization can be found here, as well as background information here.

Additionally, a user may upload a schematic containing malicious NBT which when read crashes. The function used CompressedStreamTools#readCompressed(InputStream) applies an unlimited size tracker, enabling attempted allocation of arrays exceeding VM limit. While instead the NBT should be specifically read to restrict allocations.

Finally, an upload can be performed, and a schematic item can be created without a schematic and quill item in the schematic table.

ExtendoGripInteractionPacket
Unrestricted entity attacks and interactions can be performed due to missing reach validation.

ContraptionInteractionPacket
The contraption interaction enables teleportation to any loaded contraption due to missing distance checks.

ClientMotionPacket
In dev this packet has been introduced which enables unrestricted free flight due to lack of contraption collision verification. Currently, the earlier now removed packet CancelPlayerFallPacket enabled fall damage bypass.

SymmetryEffectPacket
A malicious client can send a specially crafted packet to crash the remote server due to initial-capacity list construction. The server is capable of decoding this clientbound intended packet as message registration does not specify network direction as done so by SimpleChannel#messageBuilder(Class,int,NetworkDirection). The list should be constructed at default capacity.

Schematicannon
A modified client may upload a schematic with a chest or hopper minecart with non-empty contents to create arbitrary items bypassing item requirement conditions.

Contraptions
A creative-mode player is able to create a specifically crafted minecart contraption item containing pre-set command blocks which when placed down and broken, place the command blocks into the world with data, bypassing command block restrictions.

Closing

I can provide further explanation and mitigation assistance as needed. Still, it is likely there are issues which I did not get to uncovering in this report which follow the general issues laid out here. So, I advise further review of the code with security in mind. One resource I recommend for learning about secure coding practices is the SEI CERT Oracle Coding Standard for Java.

I am unable to commit the time to completing all the corrections so here is what I did manage to do: https://github.com/pau101/Create/tree/mc1.15/security-patches
The significant issue remaining is contraptions enabling command block restriction bypass.

Thank you for taking the time to study the implementation this thoroughly.
Assistance would be appreciated, we have limited time and few active contributors- security concerns currently have to make way for feature progress.
That is, refactoring to address these takes time. The fact these vulnerabilities exist in the first place is evidently owed by lack of experience.

I'll get started on a PR addressing the findings.