An issue exists in OpenTSDB 2.3.0. There is XSS in parameter 'json' to the /q URI.
opentsdb opentsdb 2.3.0