XSS --- severity - 8.9π
Don't just report xss with alert popup, always try to chain it with critical action like i chain it with org takeover,
where when script execute!
ORG admin upgrade attacker to Admin and Original Admin remove himself from Org within 1 click!