invenio-records is vulnerable to cross-site scripting (XSS). When an admin user views a new record uploaded by a user with permission to upload in the admin interface, it directly renders JSON output for the new record, allowing the user to inject and render any arbitrary malicious script to render in admin interface.
github.com/inveniosoftware/invenio-records/blob/master/CHANGES.rst
github.com/inveniosoftware/invenio-records/commit/361def20617cde5a1897c2e81b70bfadaabae608
github.com/inveniosoftware/invenio-records/commit/4b3f74ead8db36cec6a6b97a77ddd56e0ff30e2b
github.com/inveniosoftware/invenio-records/security/advisories/GHSA-vxh3-mvv7-265j