ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI.
frappe erpnext 11.1.47