passbolt/passbolt_api is vulnerable to Cross-site Scripting (XSS). The vulnerability is due to improper sanitization of user input, allowing an attacker to inject malicious scripts into the userβs first and last name fields, which execute when the setup link in the invitation email is accessed.