The backend suffers from a reflected XSS because of missing filtering.
A prerequisite for this vuln is, that you enable the option to view invoices online ( this is just to see the id of the account to craft the payload. Maybe you can also find this number anywhere else... )
This is possible, because the searchvalue is not enclosed in Quotes ( see screenshot2 ), so it is possible to inject any eventhandler into the html code.
The worst thing that you can do with this vulnerability, is to redirect a moneybird user to a phishing page where he is prompted to enter his login credentials, or an attacker could even add hisself to the admins of the account and take it over completely. He could also mark his own invoice as paid and so do a financial loss to the victim.