apache_airflow is vulnerable to Stored Cross-Site Scripting (XSS) attacks. The library uses template literals to construct html elements, which allows an attacker to execute malicious JavaScript on victim’s browser through XSS payloads stored on the application server.