cPanel prior to 84.0.20 allows self XSS via a temporary character-set specification (SEC-515).
cpanel cpanel