@r0dkc4b reported a reflected self-XSS (non-exploitable) vulnerability that existed within our organization creation page. If the organizaton name contained HTML markup and the submitted coupon code was invalid, the unescaped organization name was used in the response.
While this was a non-exploitable vulnerability that was also mitigated by our use of CSP, we still took the threat seriously. We addressed the behavior by properly escaping the organization name.