There is insufficient input validation in the title of user notifications.
Steps to reproduce:
1. Log in to an admin account
2. Hover over the username & click on Notifications
3. Create a new notification with the Title `<script>alert(document.location)</script>` and an arbitrary message
4. The XSS is triggered whenever the notifications view is loaded