According to Netsecfish’s Notion site (h/t BleepingComputer), the vulnerability is in the account_mgr.cgi script, where they could add the malicious input in the name parameter to execute the exploit. This issue is tracked in the National Vulnerability Database (NVD) as CVE-2024-10914 and declared a critical flaw with a severity score 9.2.