Ifme is an open source mental health experience community that encourages people to share their personal stories with trusted allies. ifme has a cross-site scripting vulnerability in versions v1.0.0 to v7.31.4, which stems from a lack of data validation filtering of user-supplied data and output in the notifications section. An attacker could trigger the vulnerability by sending an ally request to the administrator to execute JavaScript code.