Gophish up to and including 0.12.1 exists to contain a cross-site scripting (XSS) vulnerability via a crafted landing page.
getgophish gophish