In JetBrains Hub prior to 2021.1.13402, HTML injection in the password reset email was possible.
jetbrains hub