grumpydictator/firefly-iii is vulnerable to cross-site scripting (XSS). The attack is possible because it does not escape the user provided data in budget name, allowing an attacker to inject malicious script in a transaction to get executed on the tags/show/$tag_number$ tag summary
page.
github.com/firefly-iii/firefly-iii/blob/45ddb64186e310a004acaf0f3d2766d00841f7f8/.sandstorm/changelog.md
github.com/firefly-iii/firefly-iii/compare/45ddb64186e310a004acaf0f3d2766d00841f7f8...def307010c388c4e92d7066671ad62e477cc087a
github.com/firefly-iii/firefly-iii/compare/76aa8ac...45b8c36
github.com/firefly-iii/firefly-iii/issues/2335